NEWPORT, RI—Over 100 senior leaders representing Rhode Island’s private and public sectors, law enforcement, and academia gathered at the Pell Center on May 20, 2014 to participate in a two-hour panel discussion on “Cybersecurity and Cyber Counter Strikes: Concepts and Laws.” The event brought together internationally renowned experts and cybersecurity practitioners to discuss numerous key cyber-operation concepts, including the legal implications of active defense, cyber-countermeasures vis-a-vis the Tallinn Manual, and how “privatized cyber counter strikes” may influence the future of cyber deterrence.
The panel included Joe Provost, CEO of SYNCSTATE, a cyber threat security and intelligence analysis company; Robert Clark, Distinguished Professor of Law at the U.S. Naval Academy’s Center for Cyber Security Studies; Colonel James Bitzes, Staff Judge Advocate for the U.S. Cyber Command; Professor Michael Schmitt, Director of the Stockton Center for the Study of International Law at the U.S. Naval War College and main author of the “Tallinn Manual on the International Law Applicable to Cyber Warfare;” and Karl Wadensten, President of VIBCO, a prominent RI manufacturer.
The discussion focused an issue that is both timely and controversial: commercial hacking and the lack of clearly-defined laws—whether domestic or international—to deter, punish, and/or pursue foreign hackers. The event took place one day after the U.S. government announced unprecedented cyber espionage charges against five Chinese military officers for allegedly conspiring to hack U.S. companies to steal confidential business information, sensitive trade secrets, and internal communications for competitive advantage. It remains to be seen whether these charges will yield any practical results or whether the charges are merely a symbolic step by the Obama Administration to prosecute state-sponsored cyber threats. The latter appears the most likely outcome, as the Chinese officers are unlikely to ever set foot in a U.S. courtroom. And as Peter Singer, Brookings Institution fellow and author ofCybersecurity and Cyberwar recently stated, “Even if they were found guilty, this would do little to disrupt a vast network of hackers that includes military units and a broader cyber militia.”
Estimates indicate that industrial espionage costs the U.S. economy as much as $120bn a year. The Obama Administration has made clear that it takes the threat seriously and is escalating efforts to stop it. In the meantime, “hacking back” techniques–engaging in cyber intrusions on the initial adversary–are becoming increasingly appealing to companies that wish to identify and expose hackers, and potentially cripple the operations of cyber attackers. The hitch, however, is that current U.S. law makes it illegal for private firms to launch retaliatory cyber attacks to defend their Intellectual Property (IP) and business interests online. In addition, international laws and major treaties between the U.S. and its allies are often ambiguous when attempting to classify types of unwanted aggressive cyber operations. Lastly, it is unclear what effective measures a private company targeted for electronic espionage can take; if the compromised firm can actively seek out its offender and conduct a cyber counter strike to electronically retrieve its information; and what laws would protect a company engaged in active defense operations from prosecution.
Advocates of active defense, like Mr. Provost, point out that criminal and state-run hackers are only getting better, and that the low risk of being caught versus the high potential for reward creates conditions where hackers will persist until they succeed. Mr. Provost spoke about a challenging case study of a fictional energy company that became the victim of IP theft and other energy and resource extraction via cyberspace. In this case, the company had already exhausted all its defense measures (tools to prevent and mitigate cyber intrusions) and was unable to provide its burden of proof to satisfy a legitimate case in front of a court based on any of the available laws, such as the Computer Fraud Abuse Act (CFAA), the Electronic Espionage Act (EEA), or the Anti Hacking Statute. While the law compels the company not to take any offensive measures on its own, such as “hack back” into the attacker’s computer systems, it does not provide them with many other options. The laws only suggest that this fictional company should turn over the case to local and federal law enforcement officials, and that the company call the adversary administrator to stop the original attack and to aid in the identification of the origin of the attack. Obviously, it is implausible that an adversary would comply with this request. Ultimately, the company decides to hire SYNCSTATE to identify and eradicate the malware in their systems and strike back to recover its IP. SYNCSTATE assures them that they would not compromise any computer systems of unwitting third parties or break any U.S. law (the action would not take place within the geographic boundaries of the U.S.).
The lawyers on the panel acknowledged the difficulty and the murky legal constraints of this case, and agreed that the law has not caught up with the technological need for specific provisions to actively defend private networks. They warned, however, that striking back would be considered illegal by both federal and state laws, and that the potential escalation of retaliatory cyber attacks could erode what few cyber-norms already exist in cyberspace. The situation, in short, is precarious. As a result, companies employing these techniques are advised to consider potential legal exposure and ethical issues of active defense operations and “get their lawyers involved early and often,”according to Professor Clark. Colonel Bitzes reminded the audience that neither the government nor the private sector own the cyber domain and that “cybersecurity is a team sport,” requiring combined efforts and early information sharing. Allowing civilian companies to orchestrate and conduct offensive cyber operations outside of U.S. jurisdiction could have a series of potential cascading effects, including political and military pitfalls, and may incite hackers frustrated with such countermeasures to hit even harder. Moreover, as Professor Schmitt eloquently explained, the right to self-defense—inherent only to states under Article 51 of the U.N. Charter—and the possibility to legally employ countermeasures, such as temporarily lawful actions undertaken by an injured state in response to another state’s internationally wrongful contact, would not apply to this case. On the other hand, there are no specific international laws that would prohibit the fictional company to strike back, since neither its actions nor the ones of the criminal organization that attacked them are sponsored by states or caused physical damage to systems or harm to people. But if the U.S. allowed American companies to challenge foreign hackers at their own dirty game, it would violate its own legal obligations to stop the offensive actions of a company within its own borders and maintain control over its territory.
While the recent U.S. indictment of Chinese hackers was a welcome change and signaled a step in the right direction, the norms around cyberspace and the technological limits of hacking are evolving so rapidly and unpredictably that it’s tough to really evaluate the upsides and downsides of hacking back. The costs of inaction are clear and substantial, but the costs of expanding offensive cyber operations to any corporation with an IT department may be even higher in the absence of clear rules and guidelines.
This was the last of the Rhode Island Corporate Cybersecurity Initiative’s event series for this academic year. For more information on the initiative and next fall rich events program, contact the Pell Center at [email protected] or 401-341-2927.