Skating on Stilts

I know we promised to take August off, but I was inspired by the flap over the DNC hack and the fact that I’m at the Aspen Homeland Security Working Group meeting in Colorado. I waylaid two former intelligence community members on the Aspen campus and asked for their views on the DNC hack.  Well, to be accurate, I start the interview by asking whether Putin really has the balls to step into the US electoral campaign in this way. 

Answering the question are two men with long years dealing with Soviet and then Russian intelligence:  Charles Allen, who became intelligence chief for DHS after a full career at CIA, and John McLaughlin, who ended his career at CIA as the Deputy Director and Acting Director.

As always, the Cyberlaw Podcast welcomes feedback. Send email to [email protected] or leave a message at +1 202 862 5785.

Download the 127th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

If Vladimir Putin can do it, so can we. This week the podcast dives deep into the US presidential campaign.

I of course talk with Maury Shenk about evidence that the Russians are behind “Guccifer 2.0” and the DNC data leak – aided by a Wikileaks that looks more and more like an FSB front.  I compare the largely indistinguishable Dem and GOP platform planks on encryption ‒ and draw a lesson from the straddles:  there’s little doubt that every lobbyist who contributed to the platforms was working for Silicon Valley, so the failure to endorse the Valley’s view may spell trouble for techie triumphalism.  I also spike the football for the Justice Department, whose policy views on the dangers of hacking back were swamped when the GOP called for letting victims of hacking have their way with the hackers.

Our interview this week touches on the insider threat. Andy Irwin describes the new DOD rule requiring contractors to devise insider monitoring plans for cleared personnel, and two industry leaders, Ed Hammersla, CSO of Forcepoint, and Brian White, COO of RedOwl Analytics, talk about what technology can do to spot incipient employee defections and data theft.  A discussion of the role of natural language processing naturally reminds me of George Carlin and the seven dirty words you can’t say on the radio.

In other news, Katie Cassel unpacks another in a long line of increasingly incoherent 9th Circuit rulings on when it violates the CFAA for unwanted visitors to log on to a site.  Katie also explains why the outcome of another data breach lawsuit might persuade Scottrade to change its name to Scot-Free.

Maury updates us on UK politics, from Theresa May’s honeymoon to the possibility that UK data retention law will survive review in the European Court of Justice.  I flag a good (and, sadly, already outdated) House Homeland Security Committee report on 100 ISIS-linked terror plots against the West since 2014, a surprise reprieve for Silent Circle, and Whatsapp’s continuing “If it’s Tuesday we must be shut down; if it’s Wednesday we must be back up” drama in Brazil.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to [email protected] or leave a message at +1 202 862 5785.

Download the 126^th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!

Inspired by this week's podcast episode and a conversation with Brock Meeks, an old friend and sparring partner, I contributed the following op-ed to Atlantic Media's BRINK site. Many thanks to Victoria Muth for her assistance in turning my good intentions into an actual article.

Corporate executives are fed up with the current approach to network security. They’ve been spending more and more on security. Despite that spending, they’re told that they can’t expect to keep intruders out of their networks; the best they can hope for is to lock the intruders out of their most important files, or to keep hackers from exfiltrating all that data.

Government help seems useless. It rarely catches intruders or offers security advice beyond the obvious; however, it’s quite happy to punish corporate hacking victims after the fact, often imposing fines and liability on the victim for failing to implement a security measure that three-quarters of government agencies haven’t implemented.

It’s pretty clear that building higher walls around our networks is a dead end. So is tighter scrutiny and control over what happens on the network. These things have their place, just as locks on our doors and windows have a place in physical security; however, locks won’t stop thieves if they don’t have to worry about getting caught and sent to jail for breaching the homeowner’s security measures.

Government is failing us there, too. While there have been more high-profile indictments and even somewhat more prosecutions of hackers, the government lacks the resources to attribute most network compromises. A single large financial institution probably spends more on static network defense than the entire Federal Bureau of Investigation and Justice Department spend investigating intrusions nationwide.

Worse, the Justice Department and FBI have been spending at least some of those scarce resources trying to stop victims from going beyond static network defense, claiming that deploying active defenses that might have an effect outside the victim’s network islegally questionable under the Computer Fraud and Abuse Act(CFAA). Corporate network defenders know that they can’t defend their way out of the current crisis. More needs to be done to identify and deter attackers who, today, act with impunity.

More Effective Attacker Retribution Needed

We need, in short, a more effective method to attribute attacks—and more effective retribution for the attackers. That means taking another look at the laws and policies that have discouraged private companies from taking any active steps to attribute and deter intrusions. This could mean any number of measures. It might mean building “beacons” into documents so that when they are opened by attackers, they phone home to alert defenders that their information was compromised. It might mean using information provided by beacons to compromise the attackers’ network and gather evidence as to the attackers’ identities. It might mean stopping a DDOS attack by taking over the botnet, or by patching the vulnerability by which the botnet conscripted third-party machines.

We need a more effective method to attribute cyber attacks—and more effective retribution for the attackers.

Opponents call this “hacking back,” and they conjure dire consequences, such as the accidental shutdown of hospital intensive care networks, or massive retaliation against the United States because private actors have thwarted a state-sponsored intrusion. But network defenders aren’t forced to choose between huddling at home, waiting to be attacked and launching the cyber equivalent of a thermonuclear exchange. There are many ways to improve both our attribution and our retribution tools without resorting to indiscriminate attacks.

For example, Jeremy and Ariel Rabkin recently offered an interesting essay showing the kinds of intermediate steps that victims could sponsor without risking World War III. In essence, the Rabkins suggest that the government license private forensic firms to travel outside victims’ networks to attribute attacks.

We already live in a world where private investigators with special authorities and responsibilities supplement the efforts of government. Private investigators arguably transformed the security debate in 2009 by exposing a sophisticated espionage program known as GhostNet that attacked the network of the Dalai Lama. Attribution has only gotten better since then. Drawing in part on the work of private forensics firms, the U.S. has been able to attribute major cyber attacks to Iran, North Korea and China. The more investigators we can deploy, the more attacks we can attribute, and that means drawing on the security budgets of private industry, not just the federal government.

Putting Teeth in Retribution Efforts

After attribution comes retribution. Here, too, the U.S. government has made progress. For example, the Executive Branch and Congress have proposed a “Strategy on Mitigating the Theft of Trade Secrets” as well as a “Joint Strategic Plan on Intellectual Property Enforcement,” calling for improved protections by “naming and shaming” countries that don’t take certain actions against hackers. Justice Department indictments, even if they never produce arrests, have changed the sense of impunity in hacking circles.

But again, government cannot do the job alone. We need to bring private resources to bear on retribution as well as attribution—not by endorsing network attacks, but by encouraging retribution within the law. Luckily, once an attack has been attributed, legal remedies begin to look quite realistic. Companies that have received their competitors’ trade secrets from hackers begin to look quite vulnerable. These companies often do business in the U.S., and they can be sued here under several existing statutes.

The CFAA offers a private right of action against both hackers and those who benefit from the hacking. The new federal Trade Secrets Act allows suits against those who use trade secrets that they knew or had reason to know were stolen. And the International Trade Commission can ban a product from the U.S. if it incorporates hacked trade secrets.

So, if you’re a corporate official whose network is under attack and you’re persuaded that active defense is the only approach that will work, what can you do now, under current law?

Don’t expect much comfort from the Justice Department or the FBI. They’ll say that active defense is at least arguably a violation of the CFAA. What they won’t tell you, though, is that the CFAA exempts actions taken under law enforcement authority. Not federal law enforcement authority. Any law enforcement authority. If you can find a sheriff or attorney general who’s willing to deputize your forensics team, federal threats to invoke the CFAA lose most of their force.

In short, you don’t have to sit and take it anymore. There are plenty of risks in trying to go beyond passive network defenses, but there may be more risk in doubling down on an approach to network defense that has been failing ever more spectacularly for 30 years.

What’s the one argument in favor of hacking back best calculated to infuriate the State Department?  It's been found by the father and son, authors of a thoughtful paper on the topic for the Hoover Institution.  I interview them in episode 125 of the podcast.  Jeremy, a law professor at the Scalia Law School, and his son, Ariel Rabkin, a computer scientist out of Berkeley, have the expertise to deal gracefully and concisely with the policy debate over hacking back.  Their proposal charts a middle ground while cheerfully mocking State’s hand-wringing about the international consequences of permitting hacking victims to act outside their networks.  Bonus feature:  lifetime career advice from yours truly!

In the news roundup, Michael Vatis covers Microsoft’s surprising Second Circuit victory over the Justice Department in litigation over a warrant for data stored in Ireland.  The hidden issue in that case was data localization – the same issue driving the Justice Department’s new legislative proposal to allow foreign nations to obtain information from US data repositories.  That proposal is unpacked by special guest David Kris, former Assistant Attorney General for National Security and author of the treatise, National Security Investigations and Prosecutions.

In other news, LabMD has found yet another defendant in its campaign against Tiversa.  Michael discusses what may be the first judicial decision requiring a warrant to use a Stingray to locate a criminal suspect.  And HHS tries to achieve a plausible policy goal with an overreaching legal interpretation; as Michael explains, the result could be massive unintended consequences.

In quick hits:  more evidence that foreign nations are targeting our energy grid, FDIC engages in a surprisingly successful breach cover-up, a Chinese browser sends data back to China unmolested (all because we still haven’t funded the Europocrisy Prize, I argue), and the cyberwar on ISIS is going slowly, mainly, I argue, because cyberwar on ISIS is not all that good an idea.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to [email protected] or leave a message at +1 202 862 5785. 

Download the 125^th episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes, Pocket Casts, and Google Play!