Agora Active Defense Workshop Report
The Agora[1] and the University of Washington Information School’s “Active Defense” research project (funded by a grant from Cisco Systems Critical Infrastructure Assurance Group) co-sponsored a workshop in the Arctic Building in Seattle, Washington, on September 12, 2003 to discuss Active Defense. This was the third workshop that the Agora has held over the past two years. What follows is a rough overview of the discrete topics covered in the workshop. Resources and cases cited by participants, as well as other information related to this workshop and the Active Defense research project, can be found at the project web site:
Background - Active Defenses to Cyber Attacks
To kick off the workshop discussions, Dave Dittrich first presented a framework for “Active Defense,” which later led into an attack scenario that he presented along with John Christiansen. The slides and audio for this section are available on the web:
The Department of Defense Perspective
The Department of Defense recently went through a similar workshop and discussion process in attempting to tease out the details surrounding active defense in the military computer network sphere. The DoD came up with a tiered model for active defenses that follows a progression and requires an increasing level of command necessary to authorize these actions. The tiers (growing upwards from 1 at the bottom to 3 at the top) are:
- Enhanced defensive actions.
- Actions that would enable attribution,
- Actions which could cause “minimal and temporary” damage to someone else’s computer system
The key goals of this progressive response are to ensure a clear line of authority for any action taken, to maintain proportionality to a cyber response, to be in line with other types of response, and to use the least force necessary to obtain an objective.
“The Battle Space” – Comments by Tom Donohue
When the Intelligence Community discusses computer operations with the military in support of any kind of planning for action, they constantly ask these questions: “What is the battle space? How well do you understand the landscape in which you will be carrying out operations, and how do you stack up against your enemy? If someone has been scanning and probing your network for weeks or months, what does they know about you as opposed to what you know about them? What happens if you decide to strike back, and more importantly, if you actually do manage to hit the right person, what will they then do in retaliation?”
When members of the electric power industry do “red teaming” to test security of their computer networks, they are very careful to not break in if the site being tested has SCADA[2] systems on the network being audited. This is because the networks with these systems can be so unstable that the impact of a heavy-handed penetration test is unpredictable and could cause actual outages. An example given was a case where an attacker broke into a system and simply began to scan the network from this system. The act of scanning alone was enough to cause the network to become unstable and to start failing. This was purely an accident, but underscores the question, “do you understand the battle space – that you are part of it – and do you realize what kind of damage a malicious attacker can cause against you?”
SUMMARY OF “GENERAL DISCUSSION (1)”
The participants had been presented with a scenario that theoretically might evoke an “active defense” response. The question was posed to the participants, given this scenario, what would you do? As indicated below, many, many of the “answers” really revolved around what should have been done prior to the attack to prevent the attack from occurring or succeeding in the first place. These solutions often revolved around a variety of technical solutions.
Another category of response focused on information gathering. How, once under attack, can you gather sufficient information about what is happening to your system? What is the source of the attack? Jurisdictional concerns, also, were touched upon briefly in that a participant asked where the systems were located that were attacked or that were being utilized by the attack. The scenario assumed the answers here were the United States, but the participants recognized how quickly things would get even more complicated if there were international aspects or jurisdictions involved.
Participants raised some of the following concerns:
- How quickly an attack can occur;
- Possible address spoofing by the attackers;
- Companies being sure they have back up capabilities for online access;
- Standards of care that might be enforced against servers that were “innocently” being used to launch attacks;
- The ratio of the degree of the severity of “attacking back” being related to the risks of not attacking back – for instance, whether human life was at stake as in a DDoS at a hospital versus a bank or a retail bicycle store;
- Pressure on systems administrators and others from their bosses in an attack situation.
SUMMARY OF DOMESTIC LEGAL CONSIDERATIONS
During an attack, competent and tech-savvy legal counsel would make some assumptions, e.g., “it’s a University, and they have lax security” and would advise, “these are the risks – you make your decision appropriately.” If the situation was slow moving, a lawyer could write up a complaint against the University, get a restraining order from a court (and there is precedent in a Texas court), and get legal backing for intervention. In a fast moving situation, there would be no time for this.
It could be argued that the University network is “an attractive nuisance” and they may be negligent. If a victim believes they are then justified in taking action, they may be surprised if they cause damage and are then faced with a court deciding which party is more negligent and how to split the damage costs. Arguments would be made about standards of care, difficulties of securing University networks. Liability is certainly becoming a hot topic, and it is only a matter of time before more liability suits come about re: negligence in securing computer systems.
A decision by an executive in a corporation to take action should put the liability in the hands of the corporation as a whole, not individually against those at lower levels who act under order of a corporate executive.
The discussion then headed into the criminal side, looking at actions of someone acting to protect their systems. In the area of damage to property, there are statutes about shooting animals (Ivan Orton found court decisions[3], statutes[4] and news articles regarding shooting bear[5] or moose out of season when they were caught damaging someone’s property.) The statutes are a little unclear, but do show that there is some precedent regarding use of force in protection of property. (Where/how these could be analogized to the cyber environment is not clear.)
You have more leeway if the person is clearly acting against you. If the attacker has some claim of right, it is harder to justify going after the attacker. You must still avoid actions that result in “substantial danger of bodily harm” to the attacker you are going after, you must use the minimal force necessary and it must be proportional to the attack against you and not significantly more forceful. Intent would also be taken into consideration (the wording in Washington State’s malicious mischief statute[6] is “to vex, harass, annoy.”[7]) A “reasonable person” standard is used. Washington’s Computer Trespass statutes[8] simply say, “…intentionally gain access to a computer system without authority.” There is no defense written in (or implied within) this statute that would allow someone defending their system from entering a compromised computer. It is not clear if common law would result in a defense in this area.
The concept of “self defense” is not clear in Active Defense scenarios. People often claim they are acting in “self defense”, however this is not a personal physical attack, and is directed against property (most likely) rather than directly against a person. This same problem comes up when trying to use “use of force” guidelines, such as those used by Police departments. Ivan’s examples were explicitly focused on use of force to protect property.
One participant brought up the issue of scanning, as a means of data collection, and asked if this fit the “computer trespass” statutes. In Washington, the term “accesses” is used in the statute. One case in Washington had to do with “war dialing”, and asked whether this was unauthorized access or not. (Ivan’s opinion in this case was that this was akin to doorknob rattling, which is not actual trespass.)
Another participant brought up that the hospital (and University) in the attack scenario had no intent to harm in any way, and was in fact just used as a stepping-stone for someone else. That would imply that they have no criminal liability, and actions against their systems may not be justifiable because of their malicious intent. Ivan and John both pointed out that this would likely be a civil liability issue, not a criminal one, although John mentioned that a law enforcement agency friendly to the attacked site may very well try to bring criminal charges.
In this scenario, the fact that the victim considering Active Defense is a financial institution, and therefore may be required to inform the SEC (or other authorities) about the attack, especially if the attack may be waged by a competitor. A point was made that you had better do good forensics in a case like this.
Current laws regarding assault only deal with real persons, not computer systems. It is unclear if laws will adapt to this situation and begin to consider computer systems in terms of assault or self-defense. Another body of law that may apply is that of industrial espionage (e.g., doing harm through theft of intellectual property.) This may most cleanly be defined as “tortuous interference with various economic activities,” which is a legal remedy.
SUMMARY OF “MISCELLANEOUS COMMENTS & DISCUSSION”
One participant raised the point that online security specialists are required before certification to read and sign a Code of Ethics that puts the interests of society higher than the interests of any particular employer. This participant asked how many people in the room were certified security specialists and received a smaller number of respondents than he had hoped.
A second participant introduced upcoming topics such as active defense in the international arena; how different organizations might respond differently depending on whether the organization was a critical care facility, a public safety agency, or a private business; and preventative or help tools that might be put in place to prevent having to make snap decisions in an attack situation.
SUMMARY OF INTERNATIONAL LEGAL CONSIDERATIONS
Criminal law is very well defined here in the United States in regards to computer crimes. Internationally, however, there is very little international law concerning computer intrusions. Laws concerning computer systems and electronic forms of data and property are quite different from country to country, if there even are laws concerning these topics. In many countries, computer data (information) is not considered property at all.
An example given at the workshop was Onel de Guzman[9], author of the “I Love You” virus. Laws in the Philippines at the time de Guzman launched this virus did not consider computer data to be property, and the Philippines had no laws on their books covering computer intrusion or damage. The FBI quickly tracked the attack to de Guzman, and had the cooperation of the Philippines federal police, but when asked by the FBI to arrest de Guzman, courts in the Philippines could not help. Nothing could be done, despite the significant estimated world wide damages, which ran into the millions of dollars.
In addition to needing a law under which to bring a criminal action, another requirement is that the act must be illegal under both jurisdictions for extradition to occur. Going back to the de Guzman case, he could not be brought back to the US to stand trial because of the same reason: he did not break any existing Philippine law. (This is known as “dual criminality.”)
Another international legal issue, in situations where dual criminality is not an issue, is in instances where a foreign government believes that a criminal law in its country has been violated. If a foreign entity detects the Active Defense actions of an individual, tracks this individual back and identifies her, and reports it to their federal law enforcement, it may be investigated as a crime. The foreign government would then issue a warrant for the suspect’s arrest, serve this warrant on the United States Department of State, which serves it on the FBI, which then arrests the suspect and prepares to deliver the suspect to the foreign government. This is a worst-case scenario (for the Active Defender). In the best case, our government refuses to extradite. The problem here is that one cannot predict which result one will get.
One example here is the “Invita” case[10]. In this case, the FBI was able to entice two suspects from Russia to come to the US for an “interview.” During the “interview,” the FBI obtained an account and password to the suspects’ system in Russia and used this account/password to do remote forensic data collection. The Russian government issued a warrant for the FBI agent’s arrest, which the US government chose not to honor. If this agent were to travel to Russia, or a country with a friendly relationship to Russia, he stands a chance of being arrested and handed over to the Russian government.
Finally, above and beyond the legal issues of international computer activity, what is of major concern is the interpretation of these actions by a foreign government. Some countries would consider an attack on their military command and control networks by an entity that could be associated with a foreign government’s military as an act of war, and may choose to respond militarily. (One example cited was the stated response of Russia to attacks on their military command and control networks, which is to use force up to and including nuclear weapons.) A situation where this was an issue was the 1994 Rome Labs[11] case involving “Datastream Cowboy” and “Kuji,” two UK hackers who used systems at Rome Labs as stepping stones to break into systems at the Korean Atomic Research Institute, to steal data from the Korean system, and to store it back at Rome Labs. The US military and FBI, who were monitoring the incident and attempting to track the hackers, were not sure at the time if this host was in South or North Korea, and feared that North Korea would interpret any U.S. response as an attack by the US military and would respond as if it were.
SUMMARY OF GENERAL DISCUSSION (2)
The point was made that we are attacked and probed all the time, and an open question was posed of what intent are these, are they nation state actors, and when would they be considered an act of war? A participant pointed out that in the military context, the only people authorized to pull a trigger are people in the military, and that only two people can authorize a computer network attack: the Secretary of Defense or the President.
A participant asked what would happen if an elite law enforcement force was available to get involved in any kind of network security incident. Could this force take the necessary trace-back actions, gather the critical evidence, and call for measures to block a network attack? (A proposal to this effect was made in 1998 by Stevan Mitchell and Elizabeth Banker in their Harvard Journal of Law and Technologyarticle, “Private Intrusion Response.”[12])
The concept of a private industry response to computer network attack is an interesting one, but a participant brought up a worry the military has of “fratricide.” What would be the effects of a private active defense response in a situation that was a military attack? If there actually is a larger scale attack, and the military is assessing the scope of this response and trying to geo-locate an adversary, could the actions of a private individual inadvertently block the military and prevent attribution? Would this result in a greater harm because of these actions?
Actions that strike back, from one private entity in Country A to another private entity in Country B, may leave no other self-help options other than to go through “proper channels.” There may not be a justifiable right to self defense, or defense of property, in an international situation. (Of course computer attackers, for many years, have taken advantage of this situation to make it less likely they will be caught or stopped.)
Another participant made the point that an action against a foreign government requires Congressional intervention, and cannot be taken by a private individual. However, it may not be a clear attack by a foreign military adversary as opposed to a foreign private individual. It may not even be clear if an individual attack is part of something larger and more concerted. Conversely, an attack that appears to come from a large corporation in the United States (that happens to be a military contractor) may be interpreted by a foreign government as a military attack on their infrastructure. (Again, look at the Rome Labs incident).