Legalizing Retaliation is the Answer to Cyber Attacks

Ellen Messmer at Network World poses the controversial question as to whether cyber retaliation is justified to thwart cyber attacks.  Most information security professionals will agree that it is illegal to counter attack, but should it be?  We are not asking the question of the ethics of cyber self-defense , but questioning current legislation.  The proposal is to simply legalize cyber self-defense and leave it up to the market to determine the best solution.  In the physical world you are allowed to defend yourself from an attacker.  Why not apply the same standards to the cyber world?

 

The Castle Doctrine is one such example of real world defense.  Several states have implemented the Castle Doctrine as part of their legal code.

A Castle Doctrine (also known as a Castle Law or a Defense of Habitation Law) is an American legal doctrine claimed by advocates to arise from English Common Law[1] that designates one’s place of residence (or, in some states, any place legally occupied, such as one’s car or place of work) as a place in which one enjoys protection from illegal trespassing and violent attack. It then goes on to give a person the legal right to use deadly force to defend that place (his/her "castle"), and/or any other innocent persons legally inside it, from violent attack or an intrusion which may lead to violent attack. In a legal context, therefore, use of deadly force which actually results in death may be defended as justifiable homicide under the Castle Doctrine.

A company or personal network can be treated like a castle under the law just as a residence or business office.  Self-defense under the Castle Doctrine also protects the defender from both criminal and civil liability.  This means any person who uses a gun, kitchen knife, baseball bat, samurai sword, fire axe, etc. in defense of their castle can not be charged with a crime and the offender or their survivors are prohibited from filing a civil suit.  The Castle Doctrine also removes the duty-to-retreat from an intruder.  In the technology world we could assume this to mean that an IT department does not have to tune firewalls, perimeter routers, and IPS to mitigate the attack before launching their own counter strike.

Some may say that this does not apply directly to the internet where Company A’s servers may be hijacked and used to direct an attack against Company B.  In actuality it does translate almost perfectly.  In the physical world if Person A coerces Person B into harming or killing Person C, Person C has the right under the Castle Doctrine to defend themselves against Person B.  The type of coercion applied is not relevant to the case since the imminent threat against Person C is Person B, not the manipulation caused by Person A.  In the previous example the cybercriminal is Person A, the compromised system or bot net is Person B. Using the principles above it would be possible to create a cyber Castle Doctrine.

 

Sample Legislation to create a cyber Castle Doctrine

 

Immunity from prosecution; exception

A person or legal entity who uses computer force against an attacking computer system  violating O.C.G.A. § 16-9-93   shall be immune from criminal prosecution.

No duty to retreat prior to use of force in self-defense

A person or legal entity has no duty to mitigate the actions of an attacking computer system prior to using computer force against an attacking computer system violating O.C.G.A. § 16-9-93 

Immunity from civil liability for threat or use of force in defending technology resources

A person or legal entity using computer force against an attacking computer system violating O.C.G.A. § 16-9-93  shall not be held liable to the person or legal entity against whom the use of force was justified or to any person acting as an accomplice or assistant to such person in any civil action brought as a result of the threat or use of such force.

 

The advantages of applying Castle Doctrine to cyberspace are much like those of physical space:

  • Reduces court and law enforcement costs
  • Applies individual responsibility for both perpetrator and defender
  • Fewer people in jail serving time reducing prison costs

 

Creating a Castle Doctrine for cyberspace has numerous advantages.  It effectively increases security by raising the stakes for companies and individuals who do not secure their systems.  In addition to facing downtime from a counter attack, the company risks further embarrassment in court when the defender produces security logs showing that they were defending against an attack from that IP address.  Consumers can quickly gain visibility into which companies are regularly getting compromised and turned into bot zombies from such court records.  They may then assume if intruders control the systems, they probably control customer information contained on those systems.  Even without court records if a company is down from a defender’s counter attacks they will not be able to process data for their customer and will eventually lose customers to companies that consistently do it right.

Placing more responsibility on companies to keep their systems secure will also lead to growth in the cyber insurance market.  Most of the policies I have reviewed are very weak today, but by legalizing cyber self-defense we can create a market for different levels of insurance coverage.  This can benefit companies by allowing them to insure against downtime caused by intruders or defenders.  It will also help financial companies such as Goldman Sachs create derivatives similar to Credit Default Swaps and Credit Default Obligations that can be applied to the cyber insurance industry.

The potential for downtime caused by a defender will also cause retail and institutional investors to direct funds to companies that provide reasonable cyber security.  BP made decisions that increased risk.  It is not known how visible cutting corners was at BP, but Goldman Sachs sold 4.68 million shares of BP just before the Deep Water Horizon exploded.  Security should weigh just as heavily as safety to investors.  Goldman Sachs was correct to offload their BP holdings, just as they would be correct to offload shares of any company that allows its systems to be taken over by an intruder, then taken offline by a defender.

We have several good results that legalizing cyber self-defense bring.  The Internet should have its own Castle Doctrine and allow the private sector to find solutions to the problem of cyber security.  This frees up law enforcement resources and places responsibility where it should be, back in the hands of the individual or individuals that work for a legal entity. 

DDS Dillards Trade Idea

Dillard’s Inc. (DDS) is on a nice uptrend and above all of the key averages.  One way to get in on DDS is to play option verticals.  If we think DDS will continue to go up we can sell a bull put spread against the stock.  A bull put spread is formed by selling one put option and buying one put option below it. 

Stock-Chart---DDS-2011-01-17

 

We’re going to target the February options which are 32 days from expiration.  Using the Risk Profile in Think or Swim we can click on set slices and set the graph to 1 standard deviation from the current price and set the date for 2/18/11 which is February Expiration.  The Risk Profile shows us that 1 standard deviation from the current price is 44.71 and 35.45.  We can create a simulated order where we sell the February 35 Put and buy the February 33 Put and collect a premium of $20 per contract.  This sets our maximum gain at $20 per contract and $180 is our maximum loss per contract. 

 

 

Stock-Risk---DDS-2010-01-17

 

The 20/180 risk reward may sound crazy, but when we move over to the Probability Analysis tab and Set Slices to Break Even we see that our break even price is 34.80.  In order to make money DDS simply has to stay above 34.80.  The probability of it being below 34.80 as of today is 14.23% and above 34.80 is 85.77%.  You can adjust the date forward on this tab to see the probability of success go up as we get closer to expiration.  That is of course assuming everything remains the same.  You can also click the wrench below the date on this tab to change the stock price and volatility to see how that affects the probability of being above 34.80 by February expiration.  86% of being successful is very good odds. 

To calculate our return on investment you take the max loss minus the initial credit (180-20=160) and divide that into the initial credit of 20.  So we have 20/160=.125, or 12.5%.  We have an 86% chance of making 12.5% in approximately 32 days. 

 

Stock-Probability---DDS-2010-01-17

Short Trade Ideas in Retail

 

Interesting setup in JC Penny.  Multiple bottoms near 30 which would indicate strong support.  There is a descending triangle which could indicate a bounce or a break below support.  The 100 SMA is also on a collision course with the support line.  The 10 and 20 SMA are in a downtrend.  Entry strategy could include a short position below 29.90 with a stop market order, or just keep an eye on it.  The triangle appears to be 4 in length from the top to the base.  If there is a drop expect a turnaround at around 26.  A conservative play would be to exit at the 200 SMA.

Stock-Chart---JCP-2011-01-17

 

A little late to the game on Macys.  It gapped down and appears to be on its way to the 200 SMA and previous support at 22.  There may not be much room left in this one before it may see support again.

Stock-Chart---M-2011-01-17

 

Nordstrom is another one to keep an eye on.  It has been in a range and appears to be stuck below the 10,20, &50 SMA.  A move below current support could place it near 40 at previous support.  The 100 MA is upward trending and approaching 40 as well.  It could also break above 44 and continue upward.  Keep an eye on this one or set an alert.

Stock-Chart---JWN-2011-01-17

Security Pros Should Get Into The Cloud in 2011

ReadWriteWeb has a short but peppy write up on 2011 resolutions for SMBs to get serious about security.  The standard AV/endpoint topics are discussed, but also the need to get serious about cloud computing.  In a recent Global Information Security Workforce Study done by (ISC)2 and Frost & Sullivan, 73% of surveyed (ISC)2 professionals believe that new skills are needed to meet the demands of the cloud computing space. 

Some security professionals may choose to fight the cloud by simply waving a hand and proclaiming that it is not secure.  In the SMB space not every company handles PCI data, and many do not handle PII data that requires special treatment under the law.  The cloud makes sense for companies that are constrained by cash flow or capital budgeting.  For example, a company that operates an 8×5 IT shop may be able to have security and uptime monitored 24×7 by moving into a cloud solution.  This would be cheaper than a 24×7 local staff and the additional capital expenditure for monitoring tools.  Saving money for any company is a good thing.  That allows more money for raises and bonuses, which everyone likes. 

What should security professionals do to prepare for the cloud in 2011?

  • Learn about the cloud
    • Take at least one technical class about cloud computing technology
    • Take at least one business class that will help you with understanding ROI promised by the cloud
    • Collaborate with other security professionals regarding their experiences
  • Work with business leaders to embrace the cloud
    • Talk to your CFO or Controller about cost savings the cloud can bring
    • Concentrate on areas that make business sense. Not everything has to go in the cloud, nor should it
    • Illustrate the risks and benefits of moving to the cloud for those systems
    • The CEO should have the final say on any course of action, be a trusted advisor.

 

Security professionals should provide the expertise needed for the business to succeed.  Under ISO 27001 top management should determine and sign off on the acceptable amount of risk for the company.  At the end of the day this rests with the CEO or President, who is advised by the CISO, CFO, BizDev, and other leaders. 

How The Rich Create Jobs

After hearing a caller on Sean Hannity’s show profess that the rich never create jobs, I began to think about how this applies to the younger generation.  Being born into Generation X gives one an interesting vantage point.  We were born after the Baby Boomers and entered the work force knowing that layoffs are normal. The working relationship is no longer about loyalty, but to the benefit of the worker or the employer.  According to a friend who works in HR the mentality has gone from working for one or two companies for life to the average Generation X worker staying at one job for 5 years and upwardly mobile workers only staying for 2 years or less.  This frustrates Baby Boomer executives who expect people to stay under their hire for 10-15 years. If Generation X frustrates the Baby Boomers, what does Generation Y do?

One of the biggest problems that HR executives have encountered with Generation Y is that they don’t want a job.  At first one may think that they are bigger slackers than GenX who defined modern slacking.  Actually this is not the case.  The biggest problem facing HR executives is that GenY has entered the professional workforce as freelancers while still in college.  A large number of these young ambitious people already have Limited Liability Companies or Corporations they’ve started while in college.  One complaint that HR executives hear is that taking a full time job means only 2 weeks of vacation and you have to show up for work every day even if there is no real work to do.  GenY wants to be able to take 6 weeks off at a time if there is no work to do.

For those who have not experienced the bureaucracy of an extremely large company it is possible for there to be no work for anyone to do.  If you’re a software engineer you can’t start work on a project until sales has settled on a price with the customer.  That can take 2-4 weeks.  Then the lawyers take another 2-4 weeks to agree on the contract.  Then purchasing has to buy the equipment for the project, that has its own sales and lawyer cycle.  During that time there is nothing to do for the workforce because you don’t have a customer to bill the work to, or you don’t have the equipment to actually do the work.

The end result is that getting a job for GenY means not taking a salaried position with a company full time, but working for themselves.  If they don’t “get a job” then how do the rich fit into this?  That’s the next stop in our education about how the world works today. 

Angel Investors are individual rich people who invest their own money into other people’s businesses.  Venture Capitalists on the other hand are companies who manage a pool of money and invest into companies.  Usually that pool of money is from a group of individual angel investors.  These are the rich people that create the jobs for GenY.  Angel investors can contribute a small amount in the four digits all the way up in to the tens of millions of dollars.  If you ask a friend or relative to buy a portion of your lawn service or convenience store, they are an angel investor.  Many people in GenX and GenY whom I have worked with on launching their business ask the question early on, “Who can we find to give us money and how much can we sell our idea for?” 

For example, lets look at advertising firm trueAnthem.  I picked them because they were the most recently listed in CrunchBase, a database of start up companies that tracks investment and other facts.  They received $2 million in angel funding on 7/28/08.  They have 10 employees.  If they pay each employee $50,000 per year, they can afford to pay salaries for 2 years and still have $1 million left over for office rent and other expenses, assuming they make no money.  They managed to survive long enough to receive another $2.88 million in Series A financing at the end of 2010.

What happened here is a rich person gave someone a job by providing $2 million in start up capital, who then hired a several employees.  In the world of GenY, to say that a rich person never gave you a job is inaccurate. The average person may believe that because a wealthy person did not hire them directly they did not get a job from a rich person.  Once you follow the money trail it usually leads back to someone with extra money to spare.   In a future article I will cover why taking money from a rich person for a job is better than going to the SBA or your local bank to get a loan.