cyber war or electronic espionage - active defense or hack back' · 2015-05-28 · hackers...
TRANSCRIPT
"Cyber War or Electronic Espionage -
Active Defense or Hack Back"
David Willson Attorney at Law, CISSP Assess & Protect Corporate Information
Attacks on
Nations
Georgia
Estonia
South Korea
United States Canada
Iran
France UK
Belgium
Attacks on
Businesses
Allied Irish Banks
Why has hacking gotten so bad?
Great advances in technology
Hacker underground where you can buy malware, point and click hacking programs, tech support
Safety and anonymity
Who is Involved?
Hackers
Organized Crime
Terrorists
Nations
Digital Spies: The Alarming Rise
of Electronic Espionage
“Foreign agents are stealing
stealth technology, hacking heads
of state, and sabotaging American
companies. And while many of
these attacks are traced to China,
electronic espionage is an
accelerating scourge that knows
no national boundaries.”
(Adam Piore, Popular Science, Jan. 24,
2012)
Headlines!!
U.S.
Cyber-spying by China and Russia a
threat
“Billions of dollars of trade secrets, technology
and intellectual property are being siphoned
each year from the computer systems of U.S.
government agencies, corporations and
research institutions to benefit the economies
of China and other countries,” the Office of the
National Counterintelligence Executive said.
(By Ellen Nakashima, Washington Post, Nov. 4, 2011)
Headlines!!
“Hack at Illinois Water Plant
Shows Vulnerabilities in Critical
Infrastructure”
Allegedly, hackers based in
Russia were able to remotely
shut down a water pump at a
facility near Springfield.
(Sue Marquette Poremba Nov 21, 2011-
Reuters)
Headlines!!
“A new report from security firm FireEye released yesterday (April
12) accuses the Chinese government of having involvement in a decade-long cyber espionage
operation aimed at attacking government agencies, corporations and journalists in India and across
Southeast Asia.”
Headlines!!
“CHINA ACCUSED OF RUNNING 10-
YEAR RING OF CYBER ESPIONAGE” (PYMNTS.COM)
See video here:
(https://www.youtube.com/watch?v=17FIA7qoyy0)
A Crippling Cyber Attack Would Be
an 'Act of War' - Leon Panetta
Can we categorize the attacks on Nations?
Electronic Espionage?
Cyber War?
Criminal Hacking?
When does a cyber attack
cross the line from hacking,
cyber crime, or electronic
espionage and become an
ACT of WAR??
So, where do we draw
the line?
LINGO
Cyber
War
Act of War/
Use of Force/
Armed Attack
Electronic
Espionage Cyber
Attack
LAW
Geneva
Convention
Anticipatory
Self-Defense
Customary
Int’l Law
Hague
Convention
UN
Charter
Art. 51
Self-Defense See:
Talinin
Manual
1. Use of Force: in response a nation
may use lesser or equal means as
compared to the original use of force
(probably would not allow a kinetic
response to a cyber attack considered a
“use of force”)
2. Armed Attack: allows the attacked
nation to respond with a proportional
response (if cyber attack is considered
an “armed attack,” the attacked nation
can likely respond with a kinetic attack)
Use of Force v. Armed Attack
Issue: When does a cyber-attack
equal an “armed attack?”
Theory: Any cyber-attack that may
have the same result as a kinetic
attack would likely be classified as
an “armed attack”
Use of Force v. Armed Attack
• Defacing your adversary’s website? (Happened)
• Blocking their Internet access to the outside world? (Happened)
• Stealing their military secrets? (Happened)
Is this electronic espionage or an
act of war?
• Planting logic bombs in critical infrastructure?
• What about in defense hardware
and software: communication satellites, missile defense, etc.
Is this electronic espionage or an
act of war?
Disrupting an adversary’s financial structure?
Erasing an adversary’s critical data?
What about disrupting or even altering GPS?
How about “challenging our ability to operate freely in the cyber commons?”
Is this electronic espionage or an act of
war?
How about disrupting or setting back your adversaries nuclear weapons program, or what they say is just nuclear power??
Is this electronic espionage
or an act of war?
Dubai: The US will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran, an Iranian official said Wed.
“If the Americans’ futile cyber attacks don’t stop, it will face a teeth-breaking response,” . . . . (Iranian Students News Agency)
Do We Need a Response?
If a tree falls in the woods and no one hears it, does it make a sound?
If one nation attacks and the other does not respond do we have a war?
Do We Have a War?
Do you know who is attacking you?
Attribution (can you fire back blindly?)
“Sum of All Fears” http://www.youtube.com/watch?v=8GPu-oZ4p64
In this movie, terrorists made it appear that Russia detonated a nuclear weapon in Baltimore. This deception almost led to the US and Russia launching nuclear attacks on one another. Deception in cyberspace is much easier.
Critical Piece
In the 90’s a Russian professor declared that
Russia considers information operations (the term used at the time) to be akin to a
nuclear attack and retains the right to respond with a
nuclear strike.
What About
Precedence?
1. Has a cyber war already occurred?
2. Can we draw a clear line?
3. What factors must inevitably be considered?
a. Attribution
b. Escalation
c. Setting precedence
Recap
Stuxnet/Code Yellow/Shamoon
Act of War/
Use of Force/
Armed Attack??
Recap
Use of Force: I would argue that most of
what we see in the news that is labeled a
“cyber-attack” or “cyber war” could be
considered a “use of force,” thus
allowing the aggrieved nation to respond
in kind.
Question: is the use of Stuxnet then
considered a “use of force?” Yes
Is it an “Armed Attack?” This question is
yet to be answered!!
Use of Force v. Armed Attack
What will it Take?
No single incident
Combination of attacks
Rise to level of do or die or
economic Armageddon!
Eric Rosenbach, Deputy Assistant
Secretary of Defense for Cyber Policy:
“A catastrophic cyber-war is
important to prepare for, but an
unlikely scenario. Stealing
data important to the nation’s
economic security, is occurring
here and now!”
(National Defense July 2012)
Cyber Pearl Harbor?
Assuming we are not at war,
then this is a Risk Management
problem for companies.
How do you manage this risk?
Develop and implement Rules of
Engagement (ROE) for your
company. E.g. Do you have a
plan?
• Businesses are on their own
• Government has its hands full!
• What can companies do?
• Active Defense!!
(Take the fight to the bad guys)
Attacks on businesses?
Economic Espionage?
Criminal Hacking?
Does the breach of a large company impact the national security of the nation where it resides?
Cyber Attacks – The Cost
Time
Money
We are losing the battle
Traditional defenses don’t work
New defenses and options are needed
500 Executives Surveyed…
“One thing is very clear: The cyber security programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries.”
www.pwc.com/cybersecurity
One sad reality is despite all the warnings, companies and individuals continue to fail to implement basic security practices.
Response
Nothing
Block
Call LE Hack
Back Remove
Clean- up
Current Options for Business
Hack Back- Active Defense
What is it?
Is Hacking Back Self-Defense Legal?
No
−C.H. “Chuck” Chassot of the DoD Command, Control, Communications & Intelligence office: “It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.”
Is Hacking Back in Self-Defense Legal?
Yes
Timothy Mullen, CIO of AnchorIS, Inc.: People should be allowed to neutralize one that is unwittingly spreading destructive Internet worms such as Nimda
Jennifer Stisa Grannick, litigation director at the Center for Internet and Society at Stanford Law School: “This is a type of defense of property. There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses.”
Deterrents to Hack Back
Law Ethics Retribution
Illegal to gain
unauthorized
access to a
computer
Highly probable
that hacking
back will affect
innocent
computers or
networks
You may
awaken the
beast!
Hack Back- Active Defense
Legal Issues
−Nations
Law of War
Law of Neutrality
Collateral Damage
Hack Back- Active Defense
Legal Issues
−Business
Domestic Law
International Law
Can/should businesses rely on their governments to defend them?
Can they take matters into their own hands?
Law
“Whoever intentionally
accesses a computer without
authorization or exceeds
authorized access, and thereby
does or causes ‘XXX’ is in
violation of XYZ Law.”
Embed Code in the “Phone
Home” function of a Bot.
When the Bot connects to the IRC server the
Code disables it.
One Theory
Legal?
Did you have the intent to access the innocent computer or server being used as the IRC server?
Did you access that server without authorization?
Did you cause harm, alter, or in some way have a negative impact on the innocent computer?
Legal?, cont.
Does an infected computer impliedly grant you access to their system if their computer is causing damage to or plaguing your computer or network?
Wouldn’t a traditional scenario of self-defense apply in this situation?
Is the only driving factor imminence?
Legal?, cont.
Does an infected computer whose negligence allows your computer to be attacked, and the attack is ongoing or imminent, give you automatic authority to defend yourself by accessing that infected computer?
Can the victim of a bot attack claim that their code was automatic, used common protocols, followed the bot into the infected server (IRCd), and blocked the bot – did he exceed authorized access?
Common Objections: Retribution and Ethics
Issues
“You will start a war with China!”
Really?
“You will impact an innocent bystander!”
No one in this scenario is innocent.
Victim? Yes!
Innocent? No!
Business Owner, Executive, Leader:
What’s Your Responsibility
Protect the business
Assess the risk
Implement good security
Reduce or eliminate liability
Protect reputation
Recover quickly
www.lowestoftjournal.co.uk
Hack Back Scenario
Questions?
David Willson Attorney at Law, CISSP
Assess & Protect Corporate Information
Text the number 50500
In the message type: titansecurity