Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
5 Perspectives on Cyberattack Outside National Security As noted in Chapters 3 and 4, the military and intelligence commu- nities have missions to which cyberattack capabilities are relevant. But cyberattack may be relevant to at least two other constituenciesâthe domestic law enforcement community and the private sector. This chap- ter explores some of those possible connections. 5.1â Cyberattack and Domestic Law Enforcement For many years, the law enforcement community has had the author- ity to undertake covert surveillance and monitoring of electronic com- puter-based communications under legally authorized circumstances. (The legal authority for such activity is Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended to include the Electronic Communications Privacy Act, and briefly described in Chapter 7.) In addition, law enforcement authorities may conduct surreptitious searches of computers for documents when so authorized under a court-issued warrant. From a technological standpoint, such activities are equivalent to the intelligence collection activities described in Chapter 4. Law enforcement authorities can and do conduct cyberexploitation with the appropriate legal authorization, although the legal framework for providing authori- zation is very different for the law enforcement community than for the intelligence community. By contrast, law enforcement authorities often eschew cyberattack. 200
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 201 One possible reason is the prosecutorial focus of law enforcement authori- ties, who are generally concerned with obtaining legally admissible evi- dence in order to support successful prosecution. Evidence collected from the computers of suspects has been subject to claims that computer records have been altered. Absent specific evidence that tampering has occurred, such claims have not prevailed to date. But if an operation were specifically designed to damage or destroy information resident on a target computer, it is hard to imagine that such claims would not be taken more seriously. A second reason may be that other tools are often available. For example, a criminal website in the United States being used to defraud consumers, for example, can be taken down by legal rather than techni- cal means. On the other hand, public reports indicate that law enforcement authorities have in fact conducted denial-of-service attacks against wire- less (cell phone) networks and other wireless devices such as garage door openers and remote control devices for toys in order to prevent their use to detonate remote-controlled bombs. Jamming cell phone networks in a specific geographic area could be used to help stop terrorists and criminals from coordinating their activities during a physical attack and prevent suspects from erasing evidence on wireless devices. In prisons, jamming could interfere with the ability of prison inmates to use contra- band cell phones, which are often used to intimidate witnesses, coordinate escapes, and conduct criminal enterprises. Federal law enforcement officials are permitted to use jamming tech- nology with specific legal authorization, and state and local law enforce- ment agencies are not allowed to do so at all. In particular, 47 USC 333 states that âno person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or autho- rized by or under this chapter or operated by the United States Govern- ment.â However, Section 305 of the Communications Act of 1934 (today 47 USC 305) stipulated government-owned radio stations need not adhere to rules and regulations designed to prevent interference with other radio stations. The National Telecommunications and Information Adminis- U.S. Department of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, Criminal Division, July 2002, available at http://www.usdoj.gov/criminal/cybercrime/ s&smanual2002.htm#_VB1_. Specifically, the Washington Post reported that such jamming technology was used to protect President Obamaâs inaugural motorcade on Pennsylvania Avenue. See S Â pencer S. Hsu, âLocal Police Want Right to Jam Wireless Signals,â Washington Post, Feb- ruary 1, 2009, p. A02, available at http://www.washingtonpost.com/wp-dyn/content/ article/2009/01/31/AR2009013101548_pf.html.
202 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES tration Organization Act of 1992, Public Law 102-538 and codified at 47 USC 901-904, established the NTIA as the federal point of responsibility for managing U.S. domestic use of the spectrum. Specifically, the Office of Spectrum Management within the National Telecommunications and Information Administration of the Department of Commerce develops and implements policies and procedures for domestic issues regarding the use of the spectrum by the federal government in the United States. The use of jamming technology is not the only way to thwart the use of cell phones for terrorist or criminal purposes. Persuading cell phone providers to shut down service, either over a broad area or just in the vicinity of a few specific cell towers, can also work effectivelyâsuch an approach to a cell phone provider might well be regarded as the equiva- lent of a close-access âcyberattack.â In February 2009, Senator Joseph I. Lieberman planned to introduce legislation that would give law enforcement agencies âthe tools they need to selectively jamâ communications in the event of a terrorist attack. Senator Kay Bailey Hutchison and Representative Kevin Brady also intro- duced a bill that would allow the U.S. Bureau of Prisons and governors to seek the authority to jam cell phones in prisons. 5.2â Threat Neutralization In the Private Sector 5.2.1â Possible Response Options for Private Parties Targeted by Cyberattack In general, a private party that is the target of a cyberattack has four options for responding. First, it can implement passive measures to strengthen its defensive posture. For example, it can drop functionality on its own systems that the attacker is trying to exploit, reject traffic, and close ports on its firewall. Second, it can report the event to law enforce- ment authorities, and law enforcement authorities can take appropriate action to try to shut down the cyberattack (e.g., by finding the perpetrator See http://www.ntia.doc.gov/osmhome/roosa8.html. Indeed, the Washington Post story reported that the U.S. Department of Homeland Security reached an agreement in 2006 with cell phone companies to voluntarily shut down service under certain circumstances, which could disable signals for areas ranging from a tunnel to an entire metropolitan region. See Spencer S. Hsu, âLocal Police Want Right to Jam Wireless Signals,â Washington Post, February 1, 2009, p. A02, available at http://www.washingtonpost.com/wp-dyn/Â content/article/2009/01/31/AR2009013101548_pf.html. Matthew Harwood, âBill Would Allow Prisons to Jam Cell Phone Signals,â Security Management, January 16, 2009, available at http://www.securitymanagement.com/news/ bill-would-allow-prisons-jam-cell-phone-signals-005082.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 203 and arresting him). (However, to the best of the committeeâs knowledge, law enforcement authorities have never launched a counter-cyberattack.) Third, it can take self-help measures to further investigate and charac- terize the source of the cyberattack and then report the information to appropriate law enforcement authorities. Fourth, it can take actions to neutralize the incoming cyberattack. The first optionâstrengthening its defense posture passivelyâentails a minimum of controversy as a matter of law and policy. But although stronger passive defensive measures are unlikely to be effective over the long run, the other options do entail some degree of controversy. Consider the long-standing thread of policy that law enforcement authorities have a key role to play in responding to a cyberattack against a private sector entity. The law enforcement paradigm is oriented primar- ily toward investigation, prosecution, and conviction of those who violate existing criminal laws about causing damage or destruction to computer systems (described in more detail below). Such processes take time to operate, often weeks or months, and are often constrained by the avail- ability of law enforcement resources and expertise. In the meantime, the private sector entity subject to a hostile cyber- attack can only hope that passive defense measures will mitigate the threatâtoday, there are no legal mechanisms or institutional structures available to provide immediate relief under such circumstances. Such a lacuna raises the possibility that some form of active defense for threat neutralization (active threat neutralization for short) may be a necessary component of a strong cybersecurity posture for the private sector. As noted in Chapter 3, the U.S. Strategic Command (STRATCOM) asserts the authority to conduct response actions, including threat neutral- ization, on behalf of cyberattacks against DOD installations under certain circumstances. The Department of Homeland Security has the responsi- bility for seeing to the cyber protection of the defense industrial base and the providers of critical infrastructure. But to the best of the committeeâs knowledge, neither DHS nor any other part of government has been given the authority to conduct active threat neutralization on behalf of any part of the private sector (including the companies of the defense industrial base and the providers of critical infrastructure). This state of affairs is problematic for large multinational corporations that face major cybersecurity threats, and that are themselves concerned with how to manage the risk associated with the cyberattacks they face. For such entities, one element of any rational risk management strategy would involve managing the tradeoff between the legal liabilities associ- ated with actions for the defense of property and the benefits from taking such actions.
204 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 5.2.2â Self-defense by Private Parties If passive defensive measures by themselves are insufficient for an adequate cybersecurity posture (as might be inferred from the consider- ation of active threat neutralization for DOD cybersecurity), the question arises as to whether critical parts of the private sector might be afforded a similar kind of protection. Some elements of the private sector with services to offer do make just such an argument. Without prejudging the pros or cons of such arrangements, the discussion below indicates some of the legal and policy issues that would need to be addressed before such practices could be adopted. A first point is whether cyberattack expertise is available to the pri- vate sector. Although it is likely that the capabilities of the DOD far exceed those available to the private sector, many private sector compa- nies use penetration testing and âred-teamingâ as a way of testing their own cybersecurity postures. Such testing involves hiring a firm or an individual to penetrate oneâs own information systemsâtypically these firms and individuals advertise their services under the label of âethical hackersâ or something similar. The expertise needed to provide these ser- vices is roughly the same as that needed to conduct cyberattacks against any other target, and so it is clear that some level of cyberattack expertise is available. In addition, many private enterprises make use (in some cases, extensive use) of threat intelligence and surveillance capability provided by private companies. As for the legal dimension, U.S. common law admits certain rights of self-defense and of defense of property in preventing the commis- sion of a crime against an individual or a corporation. (In legal usage, self-defense refers to the defense of oneâs self (or others)âa defense of a person. Defense of property is more limited, in the sense that the range of allowable actions for the defense of property is more limited than for For example, in a paper entitled âOffensive Operations in Cyberspaceâ (dated June 1, 2007), the White Wolf Security corporation argued that corporate victims of cyberattack have limited rights to use offensive cyber operations in order to proactively protect their assets and workforce from attacks originating in the United States and in allied non-U.S. nations and that private military companies constitute an emerging base from which to conduct such operations on behalf of any party entitled to conduct them. This paper is no longer online, but it is in the committeeâs possession and available in this projectâs public access file. An important area in which necessary cyberattack expertise may vary according to the kind of target is the expertise needed to conduct social engineering attacks, which by definition involve exploitation of vulnerabilities that are embedded in the particular culture and operating procedures and practices of the target entity. It is almost certainly harder for a U.S. âethical hackerâ to conduct a social engineering attack in Zendia than in the United States, for reasons that might include a lack of knowledge of the Zendian language or of Zendian cultural norms.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 205 certain kinds of self-defense (in particular, for self-defense against lethal attack). But the range of allowable actions for the defense of property is roughly comparable to the range for non-lethal self-defenseâthe use of non-lethal force can be justified in order to defend oneâs self against non-lethal attack and to defend oneâs property. For hostile cyberattacks, the relevant concept will almost always be defense of property, as cyber- attacks against private parties have not usually had lethal intent. Note that self-defense in this context has an entirely different meaning than self-defense in international law, a topic explored at length in Chapter 7.) While individuals are not permitted to engage in revenge or retaliation for a crime (that is, vigilantism is forbidden by law), they areâunder some circumstancesâentitled to take otherwise-prohibited actions for the purpose of preventing or averting an imminent crime or one that is in progress. Moreover, these rights attach even if specific statutes may not explicitly acknowledge their existence. Thus, the widely held view that government has a literal monopoly on legitimate use of physical force is simply not true as a matter of common law. Today, the primary federal law addressing cyberattacks is the Com- puter Fraud and Abuse Act (CFAA), codified as Title 18, Section 1030. Loosely speaking, this act criminalizes the intentional damaging of any computer connected to the Internet.10 (A number of state laws have similar provisions and would apply to individuals and corporations within their jurisdiction.11 The CFAA is discussed further in Section 7.3.4.) Although the CFAA contains an explicit exception for law enforcement agencies that undertake the normally proscribed behavior with respect to cyberattack, there is no explicit exception for private parties. On the other hand, the CFAA was never intended to apply and does The Model Penal Code does include exceptions for self-defense and defense of prop- erty (Model Penal Code, American Law Institute, Philadelphia, 1962, available at http://www. ali.org/index.cfm?fuseaction=publications.ppage&node_id=92). See also Paul H. Robinson, âCriminal Law Defenses: A Systematic Analysis,â Columbia Law Review 82:199-291, 1982, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=662043. 10 Section 1030 of the Computer Fraud and Abuse Act penalizes individuals who âknowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage [in excess of $5,000] without authoriza- tion, to a protected computer.â âProtected computersâ are defined to include computers âused in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.â In short, virtually any computer connected to the Internet falls under the definition of âprotected computer.â 11 For example, Section 815.06 of Title XLVI of the Florida Code (entitled âOffenses Against Computer Usersâ) criminalizes the willful, knowing, and unauthorized access or destruction of a computer or network (among other things). See http://www.leg.state.fl.us/ Statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=Ch0815/SEC06. HTM&Title=-%3E2007-%3ECh0815-%3ESection%2006#0815.06.
206 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES not apply to penetration testersâprivate parties hired (authorized) by a company to test its own defenses.12 A number of such firms provide such services so that a company can obtain a realistic assessment of its own security posture, and indeed penetration testing is often recommended as one of the best ways of doing so.13 A more significant issue is that in light of common law traditions regarding self-defense and defense of property, it is at least possible that a court might find that certain cyberattack actions undertaken in defense of property might be allowable, although whether such actions can stand as an exculpatory rationale for conducting active threat neutralization has not been tested in the courts to date. Even if not, actions taken in defense of property might be a starting point for legislative change if a policy deci- sion is made that such actions involving cyberattack should be allowed in certain circumstances.14 In the context of active threat neutralization of private, non-govern- ment computer systems under attack, an interesting question thus arises. To what extent and under what circumstances is self-help a legitimate option for the target of a cyberattack to stop it? Box 2.4 in Chapter 2 describes a spectrum of possible responses to a cyberattack, some of which plausibly count as active defense for threat neutralization. Security specialists in a private organization are often warned about undertaking efforts to gather information about the perpetrators of a cyberattack against the organization. For example, they are warned against compromising an already compromised machine to insert track- ing and collection software to gather such information. Concerns some- times arise over the possibility that the private organization and/or the security specialists themselves might be subject to civil or even criminal liability for their actions and that their efforts might contaminate evidence should a prosecution occur. As for more aggressive actions, actions taken in self-defense or for the defense of property are often justified as the only timely response available in exigent circumstances when law enforcement authorities are unavailable at the moment they are needed to prevent a crimeâthat is, in seconds rather than in the minutes or hours that it often takes law enforcement officials to arrive at the scene of a crime in progress. In the 12 The CFAA criminalizes only intentional damage caused without authorization. 13 National Research Council, Cybersecurity Today and Tomorrow: Pay Now or Pay Later, The National Academies Press, Washington, D.C., 2002. 14 As an example of a policy that would endorse cyberattack as a response to a threat to commercial interests, consider the controversial proposal of Senator Orrin Hatch to âde- stroyâ computers that have repeatedly been involved in the online trading of music and movie files after first providing warnings to the user to refrain from such behavior. See As- sociated Press, âHatch Wants to Fry Tradersâ PCs,â June 18, 2003, available at http://www. wired.com/entertainment/music/news/2003/06/59298.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 207 case of responding to hostile cyberattacks, the enormous number of sites subject to such cyberattacks suggests that sufficient government resources will indeed be unavailable to protect all of them, and law enforcement authorities are often hard-pressed to respond at all, let alone adequately, to cybercrimes in progress. In the absence of sufficient law enforcement resources, two options are possibleâprioritize so that government resources are used to con- duct actions to defend people and property only against the most seri- ous threats, and/or allow the attacked parties to conduct such actions themselves. In large part, a choice between these two options rests on oneâs view about whether the conduct of offensive activities should be the exclusive purview of government. Very few individuals would be sympathetic to the notion of privatizing the nuclear deterrent force or even battleships or jet fighters. Yet under some circumstances, private parties can and do act with lethal force in order to neutralize an immediate threat to life, and they can act with non-lethal force to neutralize an immediate threat to property. It is not known how frequently victims of cyberattack take self-help actions. Likely because of concerns about violations of the CFAA, few of those who actually take such actions will report them openly. Yet some anecdotal evidence and personal experience of committee members suggests that the frequency is not zero, and the committee is aware of instances in which attacked companies have indeed conducted denial- of-service counterattacks against the attacking parties, even though such actions have never been acknowledged openly or done in ways that draw attention to them. One data point on this issue is provided by the New York Times,15 which reported that a worm released in late 2008 known has Conficker has reignited a debate inside the computer security community over the possibility of eradicating the program before it is used, by launching a cyberattack to compromise the wormâs controller and direct it to send messages to users warning them of the infection. One cybersecurity researcher working on a counter to the Conficker worm said of such a possibility, âYes, we are working on it, as are many others. Yes, itâs ille- gal, but so was Rosa Parks sitting in the front of the bus.â Others in the cybersecurity research community continue to oppose such an effort to stop the worm because of a concern that such efforts would create even more problems. If a domestic policy decision is made to allow attacked private-Âsector 15 John Markoff, âWorm Infects Millions of Computers Worldwide,â New York Times, January 22, 2009, available at http://www.nytimes.com/2009/01/23/technology/internet/ 23worm.html.
208 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES parties to conduct actions in defense of property,16 mechanisms can be put into place that depend on other parties whose job it is to defend the interests (life, property) of a possible victim. That is, an individual or a company may hire armed guards to implement self-defense practices or procedures should they become necessary. Regarding cyberattack, the analogous situation might be a company that provides active threat neutralization services that could be called into action when a customer reports being under attack (Box 5.1). 5.2.3â Regulating Self-defense by Private Parties Some cybersecurity analysts propose letters of marque and reprisal as a model for regulated private cyberattacks to support threat neutraliza- tion.17 Letters of marque and reprisal were originally used by govern- ments to give private parties the authority to take certain actions gener- ally regarded as appropriate only for a nationâs military forcesânamely to operate and use armed ships to attack and capture enemy merchant ships in time of war. These letters were crafted with a certain degree of specificity to ensure that the actions of the private party did not exceed the intent of the issuing government, and further were never intended to imply that such letters were needed for immediate self-defense. Although the Paris Declaration Respecting Maritime Law of 16 April 1856 was issued to abolish such private actions, and many nations ratified this declaration, the United States did not and has never renounced the right to do so. Indeed, Article 1, Section 8 of the United States Constitu- tion includes the issuance of letters of marque and reprisal as one of the enumerated powers of Congress. In the context of privately conducted cyberattacks, letters or licensing could be used to specify the circumstances under which threat neutraliza- tion may be performed for the defense of property, the criteria needed to identify the attacking party with sufficiently high confidence, the evidence needed to make the determination that any given cyberattack posed a threat sufficiently severe as to warrant neutralization, and the nature and extent of cyberattacks conducted to effect threat neutralization. A key issue is the threshold at which it is appropriate to conduct an 16 Although the policy decision would be domestic, it might well have implications for international law as well. In particular, it is not clear how an explicit decision to allow attacked private sector parties to conduct actions in self-defense or in defense of property would square with the international Convention on Cybercrime (discussed further in Sec- tion 7.2.4). 17 See, for example, Excalibur R&D, âLetter of Marque and Reprisal for Fighting Terrorists,â August 20, 2008, available at http://excaliburrd.com/cs/blogs/excalibur/Â Excalibur%20Letter%20of%20Marque%20paper%2015%20August%202008.pdf.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 209 BOX 5.1â A Security Operations Center Nearly all large organizations face daily a deluge of security inputs from a variety of different systems, platforms, and applications. Usually, these inputs are generated as the result of point solutions distributed over multiple locations and do not adhere to any standards of syntax (they come in different formats, for example) or semantics (they report on different things). Growth in the number of attacks experienced every day, new technologies and rapid expansion, and new regulations and laws increase the burden on systems administrators. In response, many organizations seek to centralize the management of their security functions in what are often known as security operations centers (SOCs). SOCs track and integrate the multiple security inputs, ascertain risk, determine the targets of an attack, contain the impact of an attack, and recommend and/or execute responses appropriate to any given attack. In some cases, an organiza- tion will establish a SOC for itself. In other cases, SOC services are outsourced to a private company that specializes in providing such services. A SOC is constrained today to provide only passive defensive services when a threat originates outside the perimeter of the organization it serves. But active defense could be provided, legally, if undertaken within the organizational perim- eter1âand it is a matter of policy and law rather than technology that would prevent a SOC from taking similar action against parties outside the organizational perim- eter. Of course, if policy and law were established to allow such action, a SOCâs actions would be subject to whatever standards and regulatory requirements were part of that policy and law. 1 As noted in Footnote 10 of this chapter, the Computer Fraud and Abuse Act criminalizes only attacks committed without authorization. If a SOC conducts active defense within an organizationâs perimeter at the behest of that organization, it is acting with authorization. SOURCE: Adapted from Computer Associates, âBest Practices for Building a Security Opera- tions Center,â August 2006, available at http://www.secguru.com/files/papers/best_practices_ snoc_white_paper.pdf. active threat neutralization, and how that threshold is determined. Who determines the threshold? What level of actual damage, if any, must the victim sustain in order to demonstrate harm? How are such levels to be measured? Who should have the authority to make such a determina- tion? What alternatives to active threat neutralization must have been tried before active defense can be used? How should their success (or lack thereof) be documented? Although in a cyberattack context, these questions reflect largely unexplored legal territory, a few speculations can be made based on past precedents. To be justified, lethal actions taken in self-defense must usu-
210 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES ally be carried out as a last resort,18 but the same is not true for non-lethal actions taken either in self-defense or in defense of property. That is, in the case of protecting oneâs self from lethal attack, the ostensible victim must have tried other less violent methods for mitigating the harm that an attack might cause, or at least have good cause to believe that those other methods would not work. The same is not true for taking non- lethal actions to combat a non-lethal threat. In the case of cyberattack, even though such attacks are generally non-lethal, an argument might be made that the former analogy imposes a degree of prudence that is appropriateâif so, the analogy would require that a victim has taken all available passive defense measures (e.g., firewalls or system patches) before active threat neutralization is to be allowed as a permissible self- help action. A related point is that an action in defense of property might be misÂ directed and thus harm an innocent third party. From a legal point of view, a party taking an action in defense of property resulting in such harm may have a plausible defense to the violation of criminal law if he has made reasonable efforts to identify the party responsible for the origi- nal attack, even if the efforts were erroneous. Civil liability may attach for such action (e.g., the party launching the action in defense of property may be responsible to the innocent victim for damages suffered), although the liability might be less if the innocent party was negligent in allowing his or her computer to be used for malevolent purposes.19 5.2.4â Negative Ramifications of Self-defense by Private Parties The discussion above should not be construed as advocating a change from todayâs legal regime that strongly discourages active threat neutral- ization by private sector entities. Indeed, allowing self-help actions for private parties also has a variety of broader and negative ramifications for the nationâs interests writ large. 18 In most states, it is legal to use deadly force against an attack that threatens death, serious bodily injury, rape, kidnapping, or in some states robbery or burglary, even if one could have safely avoided the injury by retreating. And in all states, it is legal to use deadly force against such an attack even if one could have safely avoided the problem by turning over property that the attacker is demanding as a condition of not injuring the victim. 19 Uncertainties abound in this area. For example, it is theoretically possible that cy- berattack conducted to neutralize an active threat might itself be characterized as an âultra- hazardous activity,â depending on its scope and nature. If so, the courts could apply strict liability to all the harmful effects it caused. Alternately, if the defense of property is found not to apply to an active threat neutralization, the defender could easily find his responsive acts characterized as wrongful. Still other legal traditions forbid âhot pursuitâ of an attacker after he no longer poses a threat, and the line between active threat neutralization and retali- ation is not necessarily clear.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 211 For example, active threat neutralization conducted by the private sector may have negative implications for the conduct of international relations. A private party in the United States conducting an action that harms computers in Zendia is likely to be attributed to the U.S. government even if there is no such linkage, and Zendia may well seek to hold the United States government responsible. A denial by the U.S. government may even be seen as evidence of government complicity in a plausibly deniable attack. And if Zendia believes that the U.S. govern- ment is responsible for an attack on it, itâor computer-savvy citizens of Zendiaâmay well see fit to attack the United States directly or its interests (e.g., private sector companies). (Such complex escalation scenarios do not generally characterize the typical self-defense or defense-of-property scenarios of a company defending its building or a homeowner defend- ing her home.) In addition, active threat neutralization conducted by the private sector may also interfere with cyberattacks launched by the U.S. govern- ment. For example, it is easy to imagine a scenario in which major U.S. corporations come under cyberattack from a foreign power and the U.S. government chooses to respond in kind. Cyberattacks launched by these corporations at the same time might well interfere with the conduct of the U.S. cyberattack, might work at cross-purposes with it, and would almost certainly be indistinguishable from cyberattack actions taken by the U.S. government. These issues are further complicated if the U.S. government estab- lishes standards, mandates licensing, or otherwise provides advice that could support actions taken in defense of property (e.g., that describe what conditions must be established for when such behavior should be considered a reasonable option, or what the limits on such actions should be). In the absence of mandatory standards for taking such action, actions by private parties would be governed by the partyâs own view of its self- interest, and in particular would be unlikely to take into account other broader societal or national needs.20 Thus, active threat neutralization may run a higher risk of having effects that work against those broader needs or objectives. A private partyâs threshold for action may also be lower (for example, it may be less tolerant of corporate espionage) than public policy might dictate. 20 Precedent for this likely outcome can be found in the behavior of private companies today, which invest in cybersecurity to the extent, and only to the extent, that their business needs call for such protection. The result has been a societal level of cyber protection that is, by most accounts, inadequate to meet the needs of the nation as a whole. See National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007.
212 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES On the other hand, the explicit establishment of stated policy that allowed private parties to act in defense of property to a cyberattack could well be taken as government endorsement of such actions, even if such policy did not require them to do so. Standards established ostensibly to regulate such behavior and prevent these actions from being taken arbi- trarily or solely at the discretion of the victimized party could thus have a perversely negative effect on how the U.S. government is perceived. Self-help actions of multinational corporations have implications with respect to both international law and the domestic laws of all the nations in which the corporations have a physical presence (where, for example, personnel and assets may be placed at risk by actions taken elsewhere by the corporation). Although such actions have not yet produced a visible reaction from other nations (perhaps because the scale of the problems involved has not reached the necessary level), how nations and the inter- national community will react in the future remains to be seen. Some of the negative ramifications described are also associated with todayâs regime, in which victims sometimes take self-help actions on the basis of their own judgments and perceptions quietly and under the table without policy or legal guidance. If and when such self-help actions reach a level where they interfere significantly with U.S. policy or its execution, policy makers may eventually consider a legal regime that is tighter with respect to self-help rather than looser than that of today. A tighter regime might explicitly prohibit active threat neutralization by private parties even under the rubric of defense of property, prohibit active intelligence gathering by private parties in the wake of a cyberattack, make parties undertaking threat neutralization strictly liable for any harm they cause, and so on. 5.3â Cyberexploitation in the Private Sector Given that the technical skills for cyberexploitation are similar to those required for cyberattack and in light of the discussion above, it is likely that some U.S. companies would have the technical capability to conduct cyberexploitation against their competitors. However, the Eco- nomic Espionage Act of 1996, 18 USC 1831-1839, criminalizes the theft of trade secrets related to or included in a product that is produced for or placed in interstate or international commerce. (âTrade secretsâ are defined as âall forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compi- lations, program devices, formulas, designs, prototypes, methods, tech- niques, processes, procedures, programs, or codes.â) Whether individual U.S. firms have engaged in this kind of industrial intelligence against competitors despite its illegality is unknown to the committee.
PERSPECTIVES ON CYBERATTACK OUTSIDE NATIONAL SECURITY 213 5.4â Threat Neutralization on Behalf of Non-military Government Agencies Most of the discussion in the previous sections applies equally as well to active threat neutralization conducted on behalf of non-military government agencies. The Department of Homeland Security has the responsibility for seeing to the cyber protection of non-military govern- ment agencies, and to the best of the committeeâs knowledge, neither DHS nor any other part of government has been given the authority to conduct active defense on behalf of these agencies. The primary difference between protection for government agencies and for the private sector is the fact that the actions of government agen- cies are subject to government control and direction within the limits of statutory law and constitutional restraint, whereas the U.S. government has exercised little influence apart from the bully pulpit today to direct or even influence the actions of much of the private sector regarding cyberse- curity, a notable exception being private sector companies that are subject to strong government regulation, such as the financial sector or companies in the defense industrial base, or that provide key services to the federal government. (Whether this âhands-offâ stance of government toward the private sector will continue to be the case in the future is not clear.) This difference is perhaps most important regarding issues related to the determination of the threshold at which an active defense is appro- priate. A private party setting the threshold is highly unlikely to take into account the overall national interest if it is given a free hand in determining that threshold, whereas a decision by government on the threshold is supposed to do so, at least in principle. That is, an action by a government agency is, in principle, coordinated throughout the federal government and that interagency process is responsible for ensuring that the overall national interest is indeed served by that action. A variety of pragmatic issues are also easier to resolve when govern- ment agencies are at issue. For example, through executive order the President can direct federal agencies to share data about the scope and nature of any cyberattacks they are experiencing. Such information is necessary to determine the overall scope of any attack and thus to deter- mine the nature of any active defense required. But most private parties are currently under no such obligation to provide such information to the federal government.21 21 Certain private parties subject to government regulation may be required to provide information under some circumstancesâfinancial institutions, for example, are required to notify their regulatory authorities if they experience significant cyber penetrations, although this requirement is not a real-time requirement.