Ellen Messmer at Network World poses the controversial question as to whether cyber retaliation is justified to thwart cyber attacks. Most information security professionals will agree that it is illegal to counter attack, but should it be? We are not asking the question of the ethics of cyber self-defense , but questioning current legislation. The proposal is to simply legalize cyber self-defense and leave it up to the market to determine the best solution. In the physical world you are allowed to defend yourself from an attacker. Why not apply the same standards to the cyber world?
The Castle Doctrine is one such example of real world defense. Several states have implemented the Castle Doctrine as part of their legal code.
A Castle Doctrine (also known as a Castle Law or a Defense of Habitation Law) is an American legal doctrine claimed by advocates to arise from English Common Law that designates one’s place of residence (or, in some states, any place legally occupied, such as one’s car or place of work) as a place in which one enjoys protection from illegal trespassing and violent attack. It then goes on to give a person the legal right to use deadly force to defend that place (his/her "castle"), and/or any other innocent persons legally inside it, from violent attack or an intrusion which may lead to violent attack. In a legal context, therefore, use of deadly force which actually results in death may be defended as justifiable homicide under the Castle Doctrine.
A company or personal network can be treated like a castle under the law just as a residence or business office. Self-defense under the Castle Doctrine also protects the defender from both criminal and civil liability. This means any person who uses a gun, kitchen knife, baseball bat, samurai sword, fire axe, etc. in defense of their castle can not be charged with a crime and the offender or their survivors are prohibited from filing a civil suit. The Castle Doctrine also removes the duty-to-retreat from an intruder. In the technology world we could assume this to mean that an IT department does not have to tune firewalls, perimeter routers, and IPS to mitigate the attack before launching their own counter strike.
Some may say that this does not apply directly to the internet where Company A’s servers may be hijacked and used to direct an attack against Company B. In actuality it does translate almost perfectly. In the physical world if Person A coerces Person B into harming or killing Person C, Person C has the right under the Castle Doctrine to defend themselves against Person B. The type of coercion applied is not relevant to the case since the imminent threat against Person C is Person B, not the manipulation caused by Person A. In the previous example the cybercriminal is Person A, the compromised system or bot net is Person B. Using the principles above it would be possible to create a cyber Castle Doctrine.
Sample Legislation to create a cyber Castle Doctrine
Immunity from prosecution; exception
A person or legal entity who uses computer force against an attacking computer system violating O.C.G.A. § 16-9-93 shall be immune from criminal prosecution.
No duty to retreat prior to use of force in self-defense
A person or legal entity has no duty to mitigate the actions of an attacking computer system prior to using computer force against an attacking computer system violating O.C.G.A. § 16-9-93
Immunity from civil liability for threat or use of force in defending technology resources
A person or legal entity using computer force against an attacking computer system violating O.C.G.A. § 16-9-93 shall not be held liable to the person or legal entity against whom the use of force was justified or to any person acting as an accomplice or assistant to such person in any civil action brought as a result of the threat or use of such force.
The advantages of applying Castle Doctrine to cyberspace are much like those of physical space:
- Reduces court and law enforcement costs
- Applies individual responsibility for both perpetrator and defender
- Fewer people in jail serving time reducing prison costs
Creating a Castle Doctrine for cyberspace has numerous advantages. It effectively increases security by raising the stakes for companies and individuals who do not secure their systems. In addition to facing downtime from a counter attack, the company risks further embarrassment in court when the defender produces security logs showing that they were defending against an attack from that IP address. Consumers can quickly gain visibility into which companies are regularly getting compromised and turned into bot zombies from such court records. They may then assume if intruders control the systems, they probably control customer information contained on those systems. Even without court records if a company is down from a defender’s counter attacks they will not be able to process data for their customer and will eventually lose customers to companies that consistently do it right.
Placing more responsibility on companies to keep their systems secure will also lead to growth in the cyber insurance market. Most of the policies I have reviewed are very weak today, but by legalizing cyber self-defense we can create a market for different levels of insurance coverage. This can benefit companies by allowing them to insure against downtime caused by intruders or defenders. It will also help financial companies such as Goldman Sachs create derivatives similar to Credit Default Swaps and Credit Default Obligations that can be applied to the cyber insurance industry.
The potential for downtime caused by a defender will also cause retail and institutional investors to direct funds to companies that provide reasonable cyber security. BP made decisions that increased risk. It is not known how visible cutting corners was at BP, but Goldman Sachs sold 4.68 million shares of BP just before the Deep Water Horizon exploded. Security should weigh just as heavily as safety to investors. Goldman Sachs was correct to offload their BP holdings, just as they would be correct to offload shares of any company that allows its systems to be taken over by an intruder, then taken offline by a defender.
We have several good results that legalizing cyber self-defense bring. The Internet should have its own Castle Doctrine and allow the private sector to find solutions to the problem of cyber security. This frees up law enforcement resources and places responsibility where it should be, back in the hands of the individual or individuals that work for a legal entity.