Inspired by this week's podcast episode and a conversation with Brock Meeks, an old friend and sparring partner, I contributed the following op-ed to Atlantic Media's BRINK site. Many thanks to Victoria Muth for her assistance in turning my good intentions into an actual article.
Corporate executives are fed up with the current approach to network security. They’ve been spending more and more on security. Despite that spending, they’re told that they can’t expect to keep intruders out of their networks; the best they can hope for is to lock the intruders out of their most important files, or to keep hackers from exfiltrating all that data.
Government help seems useless. It rarely catches intruders or offers security advice beyond the obvious; however, it’s quite happy to punish corporate hacking victims after the fact, often imposing fines and liability on the victim for failing to implement a security measure that three-quarters of government agencies haven’t implemented.
It’s pretty clear that building higher walls around our networks is a dead end. So is tighter scrutiny and control over what happens on the network. These things have their place, just as locks on our doors and windows have a place in physical security; however, locks won’t stop thieves if they don’t have to worry about getting caught and sent to jail for breaching the homeowner’s security measures.
Government is failing us there, too. While there have been more high-profile indictments and even somewhat more prosecutions of hackers, the government lacks the resources to attribute most network compromises. A single large financial institution probably spends more on static network defense than the entire Federal Bureau of Investigation and Justice Department spend investigating intrusions nationwide.
Worse, the Justice Department and FBI have been spending at least some of those scarce resources trying to stop victims from going beyond static network defense, claiming that deploying active defenses that might have an effect outside the victim’s network islegally questionable under the Computer Fraud and Abuse Act(CFAA). Corporate network defenders know that they can’t defend their way out of the current crisis. More needs to be done to identify and deter attackers who, today, act with impunity.
More Effective Attacker Retribution Needed
We need, in short, a more effective method to attribute attacks—and more effective retribution for the attackers. That means taking another look at the laws and policies that have discouraged private companies from taking any active steps to attribute and deter intrusions. This could mean any number of measures. It might mean building “beacons” into documents so that when they are opened by attackers, they phone home to alert defenders that their information was compromised. It might mean using information provided by beacons to compromise the attackers’ network and gather evidence as to the attackers’ identities. It might mean stopping a DDOS attack by taking over the botnet, or by patching the vulnerability by which the botnet conscripted third-party machines.
Opponents call this “hacking back,” and they conjure dire consequences, such as the accidental shutdown of hospital intensive care networks, or massive retaliation against the United States because private actors have thwarted a state-sponsored intrusion. But network defenders aren’t forced to choose between huddling at home, waiting to be attacked and launching the cyber equivalent of a thermonuclear exchange. There are many ways to improve both our attribution and our retribution tools without resorting to indiscriminate attacks.
For example, Jeremy and Ariel Rabkin recently offered an interesting essay showing the kinds of intermediate steps that victims could sponsor without risking World War III. In essence, the Rabkins suggest that the government license private forensic firms to travel outside victims’ networks to attribute attacks.
We already live in a world where private investigators with special authorities and responsibilities supplement the efforts of government. Private investigators arguably transformed the security debate in 2009 by exposing a sophisticated espionage program known as GhostNet that attacked the network of the Dalai Lama. Attribution has only gotten better since then. Drawing in part on the work of private forensics firms, the U.S. has been able to attribute major cyber attacks to Iran, North Korea and China. The more investigators we can deploy, the more attacks we can attribute, and that means drawing on the security budgets of private industry, not just the federal government.
Putting Teeth in Retribution Efforts
After attribution comes retribution. Here, too, the U.S. government has made progress. For example, the Executive Branch and Congress have proposed a “Strategy on Mitigating the Theft of Trade Secrets” as well as a “Joint Strategic Plan on Intellectual Property Enforcement,” calling for improved protections by “naming and shaming” countries that don’t take certain actions against hackers. Justice Department indictments, even if they never produce arrests, have changed the sense of impunity in hacking circles.
But again, government cannot do the job alone. We need to bring private resources to bear on retribution as well as attribution—not by endorsing network attacks, but by encouraging retribution within the law. Luckily, once an attack has been attributed, legal remedies begin to look quite realistic. Companies that have received their competitors’ trade secrets from hackers begin to look quite vulnerable. These companies often do business in the U.S., and they can be sued here under several existing statutes.
The CFAA offers a private right of action against both hackers and those who benefit from the hacking. The new federal Trade Secrets Act allows suits against those who use trade secrets that they knew or had reason to know were stolen. And the International Trade Commission can ban a product from the U.S. if it incorporates hacked trade secrets.
So, if you’re a corporate official whose network is under attack and you’re persuaded that active defense is the only approach that will work, what can you do now, under current law?
Don’t expect much comfort from the Justice Department or the FBI. They’ll say that active defense is at least arguably a violation of the CFAA. What they won’t tell you, though, is that the CFAA exempts actions taken under law enforcement authority. Not federal law enforcement authority. Any law enforcement authority. If you can find a sheriff or attorney general who’s willing to deputize your forensics team, federal threats to invoke the CFAA lose most of their force.
In short, you don’t have to sit and take it anymore. There are plenty of risks in trying to go beyond passive network defenses, but there may be more risk in doubling down on an approach to network defense that has been failing ever more spectacularly for 30 years.