Ellen Messmer at Network World poses the controversial question as to whether cyber retaliation is justified to thwart cyber attacks. Most information security professionals will agree that it is illegal to counter attack, but should it be? We are not asking the question of the ethics of cyber self-defense , but questioning current legislation. The proposal is to simply legalize cyber self-defense and leave it up to the market to determine the best solution. In the physical world you are allowed to defend yourself from an attacker. Why not apply the same standards to the cyber world?
The Castle Doctrine is one such example of real world defense. Several states have implemented the Castle Doctrine as part of their legal code.
A Castle Doctrine (also known as a Castle Law or a Defense of Habitation Law) is an American legal doctrine claimed by advocates to arise from English Common Law[1] that designates one’s place of residence (or, in some states, any place legally occupied, such as one’s car or place of work) as a place in which one enjoys protection from illegal trespassing and violent attack. It then goes on to give a person the legal right to use deadly force to defend that place (his/her "castle"), and/or any other innocent persons legally inside it, from violent attack or an intrusion which may lead to violent attack. In a legal context, therefore, use of deadly force which actually results in death may be defended as justifiable homicide under the Castle Doctrine.
A company or personal network can be treated like a castle under the law just as a residence or business office. Self-defense under the Castle Doctrine also protects the defender from both criminal and civil liability. This means any person who uses a gun, kitchen knife, baseball bat, samurai sword, fire axe, etc. in defense of their castle can not be charged with a crime and the offender or their survivors are prohibited from filing a civil suit. The Castle Doctrine also removes the duty-to-retreat from an intruder. In the technology world we could assume this to mean that an IT department does not have to tune firewalls, perimeter routers, and IPS to mitigate the attack before launching their own counter strike.
Some may say that this does not apply directly to the internet where Company A’s servers may be hijacked and used to direct an attack against Company B. In actuality it does translate almost perfectly. In the physical world if Person A coerces Person B into harming or killing Person C, Person C has the right under the Castle Doctrine to defend themselves against Person B. The type of coercion applied is not relevant to the case since the imminent threat against Person C is Person B, not the manipulation caused by Person A. In the previous example the cybercriminal is Person A, the compromised system or bot net is Person B. Using the principles above it would be possible to create a cyber Castle Doctrine.
Sample Legislation to create a cyber Castle Doctrine
Immunity from prosecution; exception
A person or legal entity who uses computer force against an attacking computer system violating O.C.G.A. § 16-9-93 shall be immune from criminal prosecution.
No duty to retreat prior to use of force in self-defense
A person or legal entity has no duty to mitigate the actions of an attacking computer system prior to using computer force against an attacking computer system violating O.C.G.A. § 16-9-93
Immunity from civil liability for threat or use of force in defending technology resources
A person or legal entity using computer force against an attacking computer system violating O.C.G.A. § 16-9-93 shall not be held liable to the person or legal entity against whom the use of force was justified or to any person acting as an accomplice or assistant to such person in any civil action brought as a result of the threat or use of such force.
The advantages of applying Castle Doctrine to cyberspace are much like those of physical space:
- Reduces court and law enforcement costs
- Applies individual responsibility for both perpetrator and defender
- Fewer people in jail serving time reducing prison costs
Creating a Castle Doctrine for cyberspace has numerous advantages. It effectively increases security by raising the stakes for companies and individuals who do not secure their systems. In addition to facing downtime from a counter attack, the company risks further embarrassment in court when the defender produces security logs showing that they were defending against an attack from that IP address. Consumers can quickly gain visibility into which companies are regularly getting compromised and turned into bot zombies from such court records. They may then assume if intruders control the systems, they probably control customer information contained on those systems. Even without court records if a company is down from a defender’s counter attacks they will not be able to process data for their customer and will eventually lose customers to companies that consistently do it right.
Placing more responsibility on companies to keep their systems secure will also lead to growth in the cyber insurance market. Most of the policies I have reviewed are very weak today, but by legalizing cyber self-defense we can create a market for different levels of insurance coverage. This can benefit companies by allowing them to insure against downtime caused by intruders or defenders. It will also help financial companies such as Goldman Sachs create derivatives similar to Credit Default Swaps and Credit Default Obligations that can be applied to the cyber insurance industry.
The potential for downtime caused by a defender will also cause retail and institutional investors to direct funds to companies that provide reasonable cyber security. BP made decisions that increased risk. It is not known how visible cutting corners was at BP, but Goldman Sachs sold 4.68 million shares of BP just before the Deep Water Horizon exploded. Security should weigh just as heavily as safety to investors. Goldman Sachs was correct to offload their BP holdings, just as they would be correct to offload shares of any company that allows its systems to be taken over by an intruder, then taken offline by a defender.
We have several good results that legalizing cyber self-defense bring. The Internet should have its own Castle Doctrine and allow the private sector to find solutions to the problem of cyber security. This frees up law enforcement resources and places responsibility where it should be, back in the hands of the individual or individuals that work for a legal entity.
I disagree with this:nn1.) How could we legalize attacks against the members of a botnet where indidual computers attack, say, an ssh server of mine. Under this law, I’d be able to attack member servers even if they were owned by the Gov’t or if they were part of critical infrastructure in corporate networks that millions depend on daily.nnThe source article that this is from seems to advocate the feeding of misinformation to attacking computers, which is a bit different than active attacks against a target computer (IE exploitation of a back door in an uploaded php shell or a buffer overflow resulting in code execution inside of a running exploit payload.) in which I could gain root access or user-level access to an attacking computer (which is currently illegal) in order to stop the computer from attacking me.nn2.) I can’t see how this would result in less jail time. If anything the people who are running developing and using the botnets need to see the inside of a jail in order to discourage this behavior or at least have tabs kept on their future behavior. It would certainly reduce the massive amounts of money that law enforcement is dumping into this increasingly expensive issue in security.nn3.) The potential for abuse of this law is massive and impossible to uncover.nnLets say that we approach this from a different angle — The botnet itself.nnBotnets have a few inherit security weaknesses that are in some cases overlooked by simple malware. Using those security vulnerabilities in code that already has access to the box attacking you and liberating the botnet from the botnet herder would be more effective if the liberators could show that they were liberating the botnet that the attacking box fell under. This is illegal under current US computer access laws since it gives the liberators access on computers they do no own without permission, and whoever took the botnet from its original owner is now in legal possession of a botnet (to some extent, obviously it could be legal up to the point where the botnet was used for malicious purposes but how would we know?)nnIn the end I feel that this is such a legal grey area that you can’t advocate this type of “active defense measure” in law because of the problems and precedents it could set. Another reason is that retaliation could have a much wider impact than originally anticipated due to internet choke points and virtualization and virtual hosts. Taking down an infected name server willy-nilly could have dire consequences for a small ISP and its customers, for example.
-The first assumption that I discussed with my colleagues is that we must accept that taking down other systems is ethically acceptable as long as it is within the framework of the law. If legal does not equal ethical to you then discussing the hypothesis is moot. nnIn terms of jail time we can also apply physical world principles. Police departments and district attorneys are becoming more reluctant to waste time on private corporations. A town I used to live in had a policy that the police would not respond to a private business because they are there for the benefit of the public, not a private corporation. Thus every company had to have its own private security force, even McDonald’s. By letting companies fight it out among themselves you remove the police and the DA from the equation, freeing up jail and court resources for other purposes. This is also similar to legalizing marijuana or raising the legal blood alcohol level. You have statistically reduced crime, and then you accept all consequences of that as an economic externality to make it acceptable. Therefore we can make it legal to retaliate against an attacking system, knowing that the moral hazard is that someone else is going to get caught in the crossfire. This is similar to raising the BAC level and not being concerned with the number of people injured in drunk driving accidents. Economists would label both externalities. If we were to apply Asian ethics using the end-means method the consequences (injuries) would be acceptable to statistically lower the number of DUI arrests. nn In scenario 1 applying a Cyber Castle Doctrine would allow you to retaliate against any IP address that is actively attacking you. When you present your IDS logs in court you can not be charged with a crime nor be sued by the owner of that IP address. The downtime is that entity’s problem along with their customer’s problem. nnWe operate under the assumption in our hypothesis that downtime for third parties is is actually a good thing. As I mentioned in the original post, consumers get visibility into how resilient a company is. Let’s assume a bank for example has machines participating in a bot net, and those machines are taken offline by a defender leaving the bank with the inability for its customers to log in. While they are down it leaves doubts in the customer’s minds and in the mind of Wall Street, which may cause customers to go somewhere else and for the street to short sell the bank. When it comes out in court that those machines were attacking another company and legally taken offline under a Cyber Castle Doctrine, it will leave doubts in the customer’s minds and they will flock to another bank. The street will act appropriately by continuing to sell off. This is good for banks that have their house in order and bad for ones that do not build resilient secure networks. Under our hypothesis we are not concerned for the customers or the employees of the bad bank. If I bank at Security Community Bank, and Bank of America is caught up in a Wikileaks manipulated retaliation they can’t repel, it stands to either be neutral or benefit me if BofA customers leave and join another bank or join my bank. The same can be said if I suspect BofA has poor security practices and I’m short their stock. In that case we would want to see BofA taken off line to demonstrate that they have poor security and resiliency which allows us to make money on the trade.nnIn commodity markets it is a zero sum game. In order for you to make money, someone else has to take the opposite bet and lose money. In proposing legislation of this nature we are bringing the rules of the financial industry to business and information security. In order for some companies to succeed others must be put out of business. A medium business grows into a large business at the expense of other large businesses, either through routine competition or through opportunistic poaching of customers when the competition makes a mistake. nnA Cyber Castle Doctrine stands to benefit information security professionals because the stakes are now raised and companies will have to staff up with experts to attack and counterattack. It will benefit security product vendors because the stakes are now higher which will increase sales and also drive competition for better products. It will benefit the insurance industry because there will be demand for new insurance products to handle the new hostile environment. It will benefit the general public and Wall Street because there will be fresh stocks to short as companies are taken off line. It will benefit the lawyers who will attempt to prove that a counter attack was permitted under the law. The only ones to not benefit are the insecure companies and their customers. Customers can shift to a different business, so the end result is that insecure companies are eliminated from the ecosystem. The interim volatility is something to contend with but at the end of the day it all shakes out. This assumes that you are ok using the end-means methodology. I understand most Westerners would not find this approach ethical; however, there are those who do especially when it benefits them, such as the bankers, lawyers, insurance underwriters, and security professionals I have spoken to gain insight into formulating this post.n