cyber war or electronic espionage - active defense or hack back' · 2015-05-28 · hackers...

"Cyber War or Electronic Espionage -

Active Defense or Hack Back"

David Willson Attorney at Law, CISSP Assess & Protect Corporate Information

Attacks on

Nations

Georgia

Estonia

South Korea

United States Canada

Iran

France UK

Belgium

Attacks on

Businesses

Allied Irish Banks

Why has hacking gotten so bad?

Great advances in technology

Hacker underground where you can buy malware, point and click hacking programs, tech support

Safety and anonymity

Who is Involved?

Hackers

Organized Crime

Terrorists

Nations

Digital Spies: The Alarming Rise

of Electronic Espionage

“Foreign agents are stealing

stealth technology, hacking heads

of state, and sabotaging American

companies. And while many of

these attacks are traced to China,

electronic espionage is an

accelerating scourge that knows

no national boundaries.”

(Adam Piore, Popular Science, Jan. 24,

2012)

Headlines!!

U.S.

Cyber-spying by China and Russia a

threat

“Billions of dollars of trade secrets, technology

and intellectual property are being siphoned

each year from the computer systems of U.S.

government agencies, corporations and

research institutions to benefit the economies

of China and other countries,” the Office of the

National Counterintelligence Executive said.

(By Ellen Nakashima, Washington Post, Nov. 4, 2011)

Headlines!!

“Hack at Illinois Water Plant

Shows Vulnerabilities in Critical

Infrastructure”

Allegedly, hackers based in

Russia were able to remotely

shut down a water pump at a

facility near Springfield.

(Sue Marquette Poremba Nov 21, 2011-

Reuters)

Headlines!!

“A new report from security firm FireEye released yesterday (April

12) accuses the Chinese government of having involvement in a decade-long cyber espionage

operation aimed at attacking government agencies, corporations and journalists in India and across

Southeast Asia.”

Headlines!!

“CHINA ACCUSED OF RUNNING 10-

YEAR RING OF CYBER ESPIONAGE” (PYMNTS.COM)

See video here:

(https://www.youtube.com/watch?v=17FIA7qoyy0)

A Crippling Cyber Attack Would Be

an 'Act of War' - Leon Panetta

Can we categorize the attacks on Nations?

Electronic Espionage?

Cyber War?

Criminal Hacking?

When does a cyber attack

cross the line from hacking,

cyber crime, or electronic

espionage and become an

ACT of WAR??

So, where do we draw

the line?

LINGO

Cyber

War

Act of War/

Use of Force/

Armed Attack

Electronic

Espionage Cyber

Attack

LAW

Geneva

Convention

Anticipatory

Self-Defense

Customary

Int’l Law

Hague

Convention

UN

Charter

Art. 51

Self-Defense See:

Talinin

Manual

1. Use of Force: in response a nation

may use lesser or equal means as

compared to the original use of force

(probably would not allow a kinetic

response to a cyber attack considered a

“use of force”)

2. Armed Attack: allows the attacked

nation to respond with a proportional

response (if cyber attack is considered

an “armed attack,” the attacked nation

can likely respond with a kinetic attack)

Use of Force v. Armed Attack

Issue: When does a cyber-attack

equal an “armed attack?”

Theory: Any cyber-attack that may

have the same result as a kinetic

attack would likely be classified as

an “armed attack”

Use of Force v. Armed Attack

• Defacing your adversary’s website? (Happened)

• Blocking their Internet access to the outside world? (Happened)

• Stealing their military secrets? (Happened)

Is this electronic espionage or an

act of war?

• Planting logic bombs in critical infrastructure?

• What about in defense hardware

and software: communication satellites, missile defense, etc.

Is this electronic espionage or an

act of war?

Disrupting an adversary’s financial structure?

Erasing an adversary’s critical data?

What about disrupting or even altering GPS?

How about “challenging our ability to operate freely in the cyber commons?”

Is this electronic espionage or an act of

war?

How about disrupting or setting back your adversaries nuclear weapons program, or what they say is just nuclear power??

Is this electronic espionage

or an act of war?

Dubai: The US will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran, an Iranian official said Wed.

“If the Americans’ futile cyber attacks don’t stop, it will face a teeth-breaking response,” . . . . (Iranian Students News Agency)

Do We Need a Response?

If a tree falls in the woods and no one hears it, does it make a sound?

If one nation attacks and the other does not respond do we have a war?

Do We Have a War?

Do you know who is attacking you?

Attribution (can you fire back blindly?)

“Sum of All Fears” http://www.youtube.com/watch?v=8GPu-oZ4p64

In this movie, terrorists made it appear that Russia detonated a nuclear weapon in Baltimore. This deception almost led to the US and Russia launching nuclear attacks on one another. Deception in cyberspace is much easier.

Critical Piece

In the 90’s a Russian professor declared that

Russia considers information operations (the term used at the time) to be akin to a

nuclear attack and retains the right to respond with a

nuclear strike.

What About

Precedence?

1. Has a cyber war already occurred?

2. Can we draw a clear line?

3. What factors must inevitably be considered?

a. Attribution

b. Escalation

c. Setting precedence

Recap

Stuxnet/Code Yellow/Shamoon

Act of War/

Use of Force/

Armed Attack??

Recap

Use of Force: I would argue that most of

what we see in the news that is labeled a

“cyber-attack” or “cyber war” could be

considered a “use of force,” thus

allowing the aggrieved nation to respond

in kind.

Question: is the use of Stuxnet then

considered a “use of force?” Yes

Is it an “Armed Attack?” This question is

yet to be answered!!

Use of Force v. Armed Attack

What will it Take?

No single incident

Combination of attacks

Rise to level of do or die or

economic Armageddon!

Eric Rosenbach, Deputy Assistant

Secretary of Defense for Cyber Policy:

“A catastrophic cyber-war is

important to prepare for, but an

unlikely scenario. Stealing

data important to the nation’s

economic security, is occurring

here and now!”

(National Defense July 2012)

Cyber Pearl Harbor?

Assuming we are not at war,

then this is a Risk Management

problem for companies.

How do you manage this risk?

Develop and implement Rules of

Engagement (ROE) for your

company. E.g. Do you have a

plan?

• Businesses are on their own

• Government has its hands full!

• What can companies do?

• Active Defense!!

(Take the fight to the bad guys)

Attacks on businesses?

Economic Espionage?

Criminal Hacking?

Does the breach of a large company impact the national security of the nation where it resides?

Cyber Attacks – The Cost

Time

Money

We are losing the battle

Traditional defenses don’t work

New defenses and options are needed

500 Executives Surveyed…

“One thing is very clear: The cyber security programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries.”

www.pwc.com/cybersecurity

One sad reality is despite all the warnings, companies and individuals continue to fail to implement basic security practices.

Response

Nothing

Block

Call LE Hack

Back Remove

Clean- up

Current Options for Business

Hack Back- Active Defense

What is it?

Is Hacking Back Self-Defense Legal?

No

−C.H. “Chuck” Chassot of the DoD Command, Control, Communications & Intelligence office: “It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.”

Is Hacking Back in Self-Defense Legal?

Yes

Timothy Mullen, CIO of AnchorIS, Inc.: People should be allowed to neutralize one that is unwittingly spreading destructive Internet worms such as Nimda

Jennifer Stisa Grannick, litigation director at the Center for Internet and Society at Stanford Law School: “This is a type of defense of property. There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses.”

Deterrents to Hack Back

Law Ethics Retribution

Illegal to gain

unauthorized

access to a

computer

Highly probable

that hacking

back will affect

innocent

computers or

networks

You may

awaken the

beast!

Hack Back- Active Defense

Legal Issues

−Nations

Law of War

Law of Neutrality

Collateral Damage

Hack Back- Active Defense

Legal Issues

−Business

Domestic Law

International Law

Can/should businesses rely on their governments to defend them?

Can they take matters into their own hands?

Law

“Whoever intentionally

accesses a computer without

authorization or exceeds

authorized access, and thereby

does or causes ‘XXX’ is in

violation of XYZ Law.”

Embed Code in the “Phone

Home” function of a Bot.

When the Bot connects to the IRC server the

Code disables it.

One Theory

Legal?

Did you have the intent to access the innocent computer or server being used as the IRC server?

Did you access that server without authorization?

Did you cause harm, alter, or in some way have a negative impact on the innocent computer?

Legal?, cont.

Does an infected computer impliedly grant you access to their system if their computer is causing damage to or plaguing your computer or network?

Wouldn’t a traditional scenario of self-defense apply in this situation?

Is the only driving factor imminence?

Legal?, cont.

Does an infected computer whose negligence allows your computer to be attacked, and the attack is ongoing or imminent, give you automatic authority to defend yourself by accessing that infected computer?

Can the victim of a bot attack claim that their code was automatic, used common protocols, followed the bot into the infected server (IRCd), and blocked the bot – did he exceed authorized access?

Common Objections: Retribution and Ethics

Issues

“You will start a war with China!”

Really?

“You will impact an innocent bystander!”

No one in this scenario is innocent.

Victim? Yes!

Innocent? No!

Business Owner, Executive, Leader:

What’s Your Responsibility

Protect the business

Assess the risk

Implement good security

Reduce or eliminate liability

Protect reputation

Recover quickly

www.lowestoftjournal.co.uk

Hack Back Scenario

Questions?

David Willson Attorney at Law, CISSP

Assess & Protect Corporate Information

david@titaninfosecuritygroup.com

Text the number 50500

In the message type: titansecurity