The Twilight Zone of Cyber Response

December 10, 2013
Raising the Bar: Post by Emily Frye

Could this really happen? Is a cyber attack an emergency? Individuals and businesses (large and small) are victimized by cyber attacks every day. Denial-of-service attacks, financial and identity theft, stealing intellectual property—these all are crimes. If you can't call 911 when you are hacked, what can you do? The non-emergency police number will produce no better results.

Today we are witnessing a wide range of consequences from our increasing reliance on cyberspace. Many of these consequences have been beneficial—from real-time broadcasting of alerts from disaster areas, to social media-fueled uprisings against oppressive regimes, to worldwide communities collaborating to develop open source software.

As with any human endeavor, though, there are those who see this new environment as another opportunity for crime. We are not yet able to provide adequate "emergency" responses to victims or protect users in cyberspace.

New Challenges

A victim of a physical crime can call for help and reasonably expect to receive a timely response from an organization created and authorized to provide that assistance. But nothing like this exists for cyberspace. There are too many potential and actual victims, and the real-time data flow is too large for police, the military, or the courts to respond to quickly enough to provide effective help. The typical victim of a cyber attack will be unable to do anything more than reformat the affected system and request new credit cards. Victims of some types of cybercrime, like intellectual property theft (and especially trade secret theft), have almost no recourse. They fall into the twilight zone of cyber response.

This state of affairs has eroded public confidence in the ability of local law enforcement and national security institutions to defend the nation and its citizens from cyber attack. Ideally, we would put smart heads together and generate a thoughtful, well-organized approach to the problem of crime in cyberspace, but that has not yet happened. Partly, this is because we are accustomed to dealing with crime at the local, state, and federal level, rather than as a global matter. (Certainly, international espionage is not a new phenomenon, but the share of "off-line crime" that is truly international is small.)

By contrast, global crime, as best we can determine, is the norm in cyberspace. The matter is further complicated by the fact that it is rarely possible to clearly identify a perpetrator's identity, nationality, or location. Absent an extremely sophisticated victim, perpetrators remain unidentifiable.

Investigations of cyber crimes are also very different from investigations of physical crimes. Those who respond to physical crime are trained to identify clues, take reports, and preserve and track evidence using (primarily) human-based processes. Once a crime scene is cordoned off, fingerprints can be gathered systematically, the entire scene can be meticulously photographed, blood stains can be scrutinized in a lab for DNA, and so on.

There is no way to cordon off the "always active" environment of cyberspace. Digital evidence can deteriorate very quickly, and when available, it can be difficult to access and preserve. We need to think anew about appropriate, effective, local responses to cyber attacks that originate from around the globe.

An Active Defense Approach?

One path we might investigate is a more active role for victims. While mugging victims are generally in no condition to defend themselves after an attack, some victims of cyber crimes can actually help in their own defense. Some of the nation's most profitable companies own sophisticated networks with monitoring capabilities that can track and preserve critical evidence, which would otherwise quickly expire. Today, the law discourages those who could play a more active role in an investigation—those who could, in fact, partner with law enforcement to identify, capture, and preserve transient digital evidence.

Some companies are already taking the kinds of actions that could support this partnership role. They are carefully weighing the risk of punishment against the losses they may suffer. It is difficult to imagine a judge penalizing a company that has suffered demonstrable harm for merely gathering evidence in its own case; but at present, the law is unsupportive.

However, history shows that when governments can't protect them, individuals and groups do not sit idly by. Some will develop their own solutions and mitigation strategies.

And so, while many organizations continue to strengthen their defensive postures, a small number of forward-leaning commercial firms and security service providers are also practicing what is termed "active defense." In addition to traditional defensive controls and incident response procedures, these firms integrate three techniques that are new to the private sector: cyber intelligence analysis, defensive engagement of the threat, and focused sharing and collaboration. These organizations make risk calculations every day, trying to balance the risk of doing too little to defend their IT infrastructure and intellectual property against the risk of doing too much—that is, doing something that might be judged to be illegal.

The Historical Context: Active Defense and the Law

It is commonly assumed that all active defense-like activities would be illegal under the prohibition on unauthorized access in the Computer Fraud and Abuse Act.

Does the Computer Fraud and Abuse Act take precedence here or are the laws regarding protection of property more relevant?

Although the law does not specifically address active defense, especially in the cyberspace context, it does have something to say about actions in the physical world that might be analogized to active defense. What can we find in the law that might apply in this situation? If we go back to early English law, we'll find some useful precedent.

In early English law, a scarce police presence, the remoteness of the law enforcement that was available, and slow modes of travel, led to a line of cases and legal doctrines relating to the defense of property—in real time—by property owners themselves. These cases generally produced three main points of law: First, using deadly force solely in defense of property (and not in defense of threat to life or limb) is unacceptable. (Search Bird v. Holbrook or "spring guns" to learn more.) Second, damaging or destroying property in defense of one's own property is acceptable (though the damage may have to be paid for). (See Ploof v. Putman for more). Third, a private citizen can use reasonable force to detain someone suspected of a felony (or any lesser violent or threatening crime) until law enforcement arrives. (See Crawford v. Commonwealth.) In the U.S., many states also allow private detention, short of arrest, for a specific purpose, such as a merchant's investigation of whether a customer paid in full.

These legal "privileges" excused behavior that otherwise would have generated liability. While the courts allowed these actions (in the physical world) because they were calculated to prevent harm to individuals or real property, they could be extended to cyberspace. But how should they apply? How should their limitations apply? And how will companies, law enforcement, and cyber criminals respond to changes in the law?

Shaping the Discussion

The opportunity to shape the discussion is open, and ideas for reform are being discussed in the Bar and on the Hill. MITRE can help ground the legal and policy ideas in technical reality. Perhaps, in fact, the right minds are starting to come together to forge the kind of thoughtful, well-organized approach that cybercrime requires.

For further background, read Stewart Baker's overview of a debate among cyber legal and policy experts Orin Kerr, Eugene Volokh, and himself at:

http://www.steptoecyberblog.com/2012/11/02/the-hackback-debate/.

What do you think about active defense? Join the discussion: https://groups.google.com/forum/?fromgroups=#!forum/active-defense (Google account required) or email active-defense+subscribe@googlegroups.com (Google account not required).

I would like to acknowledge Marnie Salisbury and Brad Edmondson for their contributions to this post.