Tag Archives: cyber defense

Active Defense: Is it time to test in court? Correcting the Record!

by David Willson

On 16 January I did two webinars with Bright Talk.  One titled, “Active Defense: It is Legal and Will It Actually Improve your Security?,” and the other a panel entitled, “The single greatest security challenges for 2013.” 

Quick side note, due to my zeal for this topic I babbled on too long in the Active Defense webinar and ran out of time before getting to the meat of the issue.  But I am going to do another on 13 March and will manage my time better.  Anyway, Peter Judge moderated the panel for the other webinar and Active Defense was my portion. 

We had a great discussion and I would encourage you to listen if you are interested.  It can be found here: https://www.brighttalk.com/webcast/288/64057. 

On 22 January Peter wrote an article for Tech Week Europe entitled, “Its Time to Test Active Defence in Court,” found here: http://www.techweekeurope.co.uk/comment/2013-time-to-test-active-defence-in-court-105048. 

Although he got the facts correct and most of what I said in the webinar correct, the tone in which he portrays my comments I feel needs some clarifying.  This is not me trying to pull myself out of the fire, since I have not seen any feedback from his article, but simply my clarification.  So, now that I am done with my overly wordy intro, here we go.

To his first point, I agree that cyber crime victims are within their right to retaliate, but would preface this as any good attorney would with “it depends!”  It depends on the facts and circumstances.  For instance, if the attack is a one-time attack and is over, then you DO NOT have a right to retaliate. 

Similar to when someone robs your house.  If they are gone you have no right to pursue the burglar on your own.  On the other hand, if you have been attacked repeatedly and are sure it continues or will happen again you have a right to defend yourself.

Okay, next comment, “Itching to test this in court.”  Well, personally yes, but I did not say this, and other than my passion for trial work and arguing in court, no one likes to find themselves dragged into court.  But, if the situation dictates that you must do something to protect your company, you have tried all other options and are interested in moving to the next level, then you have options.

Next: “. . . instead of putting in a “huge hodgepodge of security measures” to stop any threat.”  Security is a MUST.  Anti-virus, despite what Josh Corman says, is a MUST.  Anything that can help protect your network and valuable information is a MUST.  If you are going to move into Active Defense you MUST show that you have taken the high ground, done all you can, within reason, and taken an incremental approach slowly escalating as you collect the needed intel.

Next: “Persistent attacks may be bleeding hundreds of thousands of dollars from companies, and in that situation, they should be within their rights to respond, says Willson.”  Yes, they should.  If your company is losing 50 to 100 thousand dollars a week and you have done everything else you believe possible, to include called or considered calling law enforcement, to no avail, self-defense should be an option.

In the interest of time I will make this my last point.  Peter claims that I said those whose networks have been hacked and are being used to attack others are not necessarily innocent victims.  I agree, although this sounds rather ugly. 

Let’s use a physical world example.  Let’s say a bad guy has drugged and brainwashed your neighbor to believe he is a contract killer and his mission is to kill you.  Even if you know this is fact and your neighbor is an innocent unknowing pawn, if he tries to kill you wouldn’t you defend yourself?  You would likely try to diffuse the situation with the least amount of harm to your neighbor, but in the end if it is him or you unless you have a death wish it will be him. 

Active Defense entails escalation, taking the minimal approach at first and slowly escalating with the leadership of the company, not the IT department, making informed decisions based upon risk, liability and legal issues.  The nuclear weapon of cyber is your last resort if that is what the leadership decides to do.

So, there you have it.  Obviously there are many more issues none of them black and white, and this is a very difficult problem.  If it wasn’t there wouldn’t be so much debate about it. 

One last point.  Lately I have been reading a lot of articles, especially by attorneys saying things like, “it’s illegal, don’t do it, but, we are the experts and we can help you.”  Help you do what?  If they are not willing to explore the options then there is nothing for them to do.  Also many articles lately have claimed that “attribution” is impossible.  Stop it.  If it was impossible no one would ever be arrested and prosecuted for hacking.  It is difficult, but not impossible.  So, keep an open mind, think outside the box, and have a nice day ;- ).

Active Defense: “We are the Government; We are here to help.” Well, not so much

Over the last year I have been writing and speaking on hacking back in self-defense, and every time I poll an audience as to whether hacking back is legal I get a resounding NO! 

Then I walk the group through a theory of self-defense in cyberspace and re-ask the question with a slightly different spin. At that moment most agree that based on the manner in which the scenario and theory were presented it does not sound illegal; a ray of hope suddenly appears in their eyes. 

Is this a play on words? Am I mincing words and definitions with questions like “what is the definition of is?”  No, it is a real and workable theory; a new way of looking at the problem.

Let’s face it, if the government was going to and could help you they would. But like most companies they too are overwhelmed defending against a daily barrage of cyber-attacks. So, what‘s the answer? Continue to absorb escalating costs of operation caused by unrelenting hackers? Accept the loss of proprietary data, intellectual property or trade secrets and consequently millions of dollars and reputation?  At what point should the good guys declare enough is enough? 

We are currently in a “cyber-cold war” and the targets are anyone online with something to steal or disrupt. Three options exist:

  1. Continue with business as usual
  2. Do as some have and take matters into your own hands but try to stay below the radar and not get caught
  3. Or, plan an active defense similar to a military operation to defend your company and justify each and every decision made

At RSA Europe in London we will present a legal and workable framework for commercial companies to practice active defense.

When Is Electronic Espionage an ‘Act of War?”

Is the U.S. engaged in a “cyber war?” 

Until recently the identity of the perpetrators of cyber-attacks against U.S. networks, infrastructure and the military were clouded in suspicion and not spoken of out loud.  There has been much speculation about cyber war or a cyber-Pearl Harbor, but no official declaration of what constitutes cyber war or naming of names, until now. 

In March, General Keith Alexander, speaking before Congress, and in May, Secretary of Defense Leon Panetta, during an interview with ABC News, outwardly named China as the main perpetrator and identified criteria for defining cyber war.  General Alexander, the Director of NSA and CYBERCOM commander, stated, “China is stealing a ‘great deal’ of military-related intellectual property from the United States and was responsible for last year’s attacks against cyber security company RSA . . . .”[1] Secretary of Defense Panetta said, “Well, there’s no question that if a cyber attack, you know, crippled our power grid in this country, took down our financial systems, took down our government systems, that that would constitute an act of war.”[2]

Over the last year the Department of Homeland Security (DHS) has voiced their concern over the vulnerability of our critical infrastructure, oil and gas refineries, electric grids and nuclear reactors, to potential cyber-attacks. If you are not fully convinced of the threat, consider the “Shady RAT (remote access tool)” report by McAfee wherein they identify companies and governments which recently discovered that hackers have been in their networks for the last five or six years undetected.[3]

One might conclude that a clear picture is emerging, but is it? 

During the Cold War, when government secrets were stolen, it was treated as espionage or spying.  Remember all of the spies tried for espionage: Aldrich Ames, Robert Hansen, the shoot down of Gary Powers and the U2 spy plane over the USSR.  What if a nation placed “sleeper cells” in its adversary’s country ready to attack critical infrastructure if a war broke?  Would this be considered spying and part of the “cat and mouse” game or grounds for a retaliatory strike?

Does the fact that these activities can now be accomplished electronically from the safety and comfort of your own nation change the playing field?  At the time, we probably considered the flights of the U2 relatively safe since it flew above the threat zone of anti-aircraft guns.  Does stealing terabytes of military secrets or planting logic bombs in critical infrastructure (to be launched in a moments’ notice to disable the infrastructure) cross the line from espionage to war or an “act of aggression?”  

This and many similar scenarios are now the new normal and must be defined as nations and the international community grapple with technology and current and future capabilities.  Where should the line be drawn?  Do we just accept, that an adversary, via computers, can now access and potentially steal, manipulate, or destroy information and functionality, or should nations aggressively draw the line now and openly retaliate in protest?

Obviously, as Secretary of Defense Panetta stated, if you disrupt critical infrastructure, deny critical communications, or blind a military defense system, the line has likely been crossed.  Certainly defacing a website does not even come close to being an act of war or aggression.  What about stealing terabytes of military secrets to later be used to disable your adversary’s defenses?  Possibly!  For now the line will be defined by the reactions of various nations faced with cyber-attacks.  If a nation does nothing or retaliates with a similar attack, e.g. theft for theft, then a line has been drawn and a precedent set.

A similar problem is the issue regarding Iran and nuclear weapons.  Is Iran’s pursuit of nuclear weapons and statements attributed to them about annihilating Israel and the West enough provocation to take aggressive action to prevent them from obtaining a bomb?  Clearly no one wants to escalate the situation but most agree something must be done before it is too late.  Similarly, in the cyber arena, all interested parties are reacting very cautiously in their response to cyber-attacks, likely to avoid escalation and the setting of precedence. 

In the Estonian and the Georgian conflicts the reaction was to block, clean up, and speculate about who may have launched the attacks and only the media claimed cyber war.  Not until recently has one nation, e.g. the U.S., been so vocal about who is using cyber espionage and attacks to invade and plague their networks.


[1] NSA Chief: China Behind RSA Attacks, J. Nicholas Hoover, Information Week Government (Mar. 27, 2012) http://www.informationweek.com/news/government/security/232700341.

[2] Leon Panetta: A Crippling Cyber Attack Would Be ‘Act of War’, Jake Tapper, ABC News (May 27, 2012) http://abcnews.go.com/blogs/politics/2012/05/leon-panetta-a-crippling-cyber-attack-would-be-act-of-war/.

[3] McAfee: Operation Shady RAT, http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.

Hacking Back Part II

In my last blog on “Hacking Back” I asked is it legal, ethical, and do I have a right to defend my network against yours? Well, I believe it is legal and ethical, and absolutely, I have the right under “self-defense” to defend my network from being attacked by yours, even if you do not know that your network is attaching mine!

Obviously if I know who you are and can contact you I would be obligated to do so. This scenario assumes I have no idea where the attack is coming from.

When considering hacking, hack back, self-defense in cyber space, etc., you must consider the fact that everything happens literally at the speed of light. So, saying I must contact law enforcement, collect evidence, and go to court is the same as saying “just accept it, and hope to recover all of your losses from a court, even if your company has since been put out of business.”

Here is my next question for comments:

Does anyone wish to argue that if their network has been compromised by hackers and is attacking others without their knowledge, the party or parties they are attacking have NO right to take action to stop those attacks?

My hacking back article can be found on Titan Info Security Group under white papers.