Saturday, October 15, 2011

Emails of Marque and Reprisal

I was recently interviewed by Michael Kassner on the topic of digital forensics. The interview was geared more towards being an introduction to digital forensics for those who might not be familiar with the topic. You can read that interview on TechRepublic. It was a bit of a switch being the one interviewed and I hope you like the results.

I will be the keynote speaker for the SC World Congress eSymposium on Advanced Persistent Threats. The event will be on October 25th starting at 12PM Eastern. I'll give about a 30 minute presentation on APT and then there will be a question and answer period for about 15 minutes.

warshipNot too long ago I saw a Tweet that mentioned privateering in the context of information security. I don't remember the details of the Tweet or the link that it might have pointed to, but it inspired me to think about the convergence of old maritime law, piracy, and cyber security. My dirty little secret is that information security wasn't my first choice for a career path. When I was growing up, I wanted to be a United States Navy Surface Warfare Officer. I had a bit of a complication when it came to that goal because at the time I was legally blind without corrective lenses. It turns out that the US Navy was sub-enthusiastic about the idea of a partially blind person commanding a powerful warship and they invited me not to join them. I ended up in law enforcement as a consolation prize and eventually caught the cyber security bug which brought me into the private sector.

While I wasn't able to join the team, so to speak, I have kept my love for military history and respect for the work that the military people do in their everyday roles protecting the rest of us. I started to think more about the privateering idea and was struck by how some of the themes from 18th century maritime warfare sound similar to today's cyber espionage issues. Privateering essentially was a practice where a nation-state outsourced some of its naval warfare to private actors who would engage and profit from attacking and capturing enemy shipping.  A privateer would be granted a letter of marque authorizing them to attack enemy ships. The privateers would then attack enemy ships and keep what they captured as payment for their services. The nation-state benefited by having enemy shipping disrupted without having to use their own limited naval resources and the privateer profited from the captured property. It was a nice flex and surge model where a country like the United States could ramp up to meet a threat from a more powerful adversary such the British whose navy was much larger and more powerful than the early United States Navy.

We've seen the reemergence of piracy in the Gulf of Aden that has caused problems for modern shipping. We have dispatched modern naval forces to combat these pirates* and there has even been some talk about using letters of marque to combat the problem. Congressman Ron Paul suggested that very thing in response to Somali pirates. Given that actually capturing Somali pirate vessels just results in grabbing some very unhappy pirates in a cheap boat with some side arms doesn't provide much profit motive, the idea appears to be to place a bounty on the pirates.  I don't know how great of an idea that it is, but the United States Constitution provides the United States Congress powers in area. Specifically, Article I, Section 8 authorizes Congress "To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations" and "To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water". 

I'm not a constitutional scholar so I'm not sure if Congress could even authorize Letters of Marque for cyberspace (Emails of Marque and Reprisal?) since the text is talking is specifically talking about the high seas. But setting that aside, if they could do that sort of thing, it would seem to be roughly applicable in the cyber security world. There are some striking similarities to the situation now in the cyber security world in regards to nation-state actors engaging in relentless cyber espionage against private industry and what the United States faced several centuries ago. Back in the 18th century, the United States was up against a very advanced adversary in the British Empire who had sea superiority because of their impressive naval service. The Congress wisely decided to use privateering to leverage private actors to help combat a threat that they could not deal with as effectively using their own naval power. In today's environment, I don't think anyone can say that we're winning against threats like Chinese cyber espionage.  There has been quite a bit of discussion about what role governments should take in protecting the their economic health by protecting their private sector from cyber espionage. Should there be a role for private companies to help defend themselves, their governments, and others by engaging in modern day cyber privateering? How would that even work? I can think of several broad models that could provide frameworks for how this could work.

The Active Model: The first would be an active model where a private entity is granted permission to engage in active measures outside of their organizational boundaries to stop attacks against them. This might include measures such as compromising machines and disabling computers that are being used as command and control (C2) platforms for attacks against them. The core of this model is the government granting a private entity to engage in active cyber warfare against an adversary.

The Passive Model: The second model would be limited model where organizations aren't necessarily allowed to engage in a full cyber shooting war against their adversaries, but are allowed to compromise external machines for purposes of gathering threat intelligence and determining attribution. This core of this model is intelligence gathering to improve the defenses of the organization being attacked and to provide that information to the government and other private organizations.

The Task Force Model: The third model would be something borrowed from the law enforcement community which the task force model where many different agencies send investigators to work on task forces focused on particular issues such as violent crime, terrorism, cyber crime, or drug crimes. A variation on this would be one where private entities (rather than just government agencies) donate personnel and resources to a government lead task force whose goal would be to combat cyber espionage targeting the private sector.  The private sector employees would be assigned to the task force for a certain number of years and then they could be called back to their home organizations where they can teach their internal security people what they learned during their time on the task force and new members can be sent to repeat the process.

A big initial problem I have with the idea of modern day privateering is that modern day networks aren't the same as the high seas. For example, there doesn’t seem to be the equivalent of international waters on the Internet. If you are taking an action against a computer that is attacking you, that computer is sitting inside of someone’s national borders. Great. The United States Congress gave you a “get out of jail free” card, but that's null and void in regards to that other nation’s borders. I'm not a lawyer. I have very little idea how the international law works in regards to this, but I suspect this is a show stopping problem with any sort of modern cyber privateering idea that doesn't involve government direction.

The Active Model just strikes me as patently wretched idea that is just begging to be a modern day information security example of the law of unintended consequences. Bringing down a server is serious business when it's not your own and it could very well be that the server that is attacking you could belong to an oblivious and innocent third party. It could very be your server next time that gets brought down by another privateer. It could also be that the computer you are attacking has been compromised by professional government cyber warriors from your country who made decision not to bring it down because the intelligence they are collecting from it is more valuable than stopping the attacks at that point. Now you've blundered into something you didn't know about and ultimately hurt your own cause. Lastly, this sort of privateering raises the stakes between you and the threat actor you've attacked. Maybe that threat actor will decide to return the favor and convince you to back off by not just stealing your data, but damaging your business operations by disrupting your network. We know how easy it is for advanced threat actors to get into business networks. Are these the people you really want to make angry? My guess is that this would look more like Phoenix Jones rather than John Paul Jones more often than not.

The Passive Model doesn't strike me as terrible of an idea as the Active model, but I'm still not fond of it. Yes, active measures to stop attacks aren't being taken and it's a model that encourages passive intelligence gathering. However, it still involves active measures such as compromising someone else’s computer and putting tools on it to collect data. This brings in most of the risks of the Active Model. There is also the issue of what the point is of collecting the data. Sure, maybe you learn gain more threat intelligence that you can use to defend yourself and pass onto others, but is it really worth the risks and expenditure of resources? What if you actually do manage to track an attack back to a particular nation-state with a reasonable degree of confidence? Then what?

I like the Task Force Model, but I don’t think that’s really privateering anymore given that I would envision that task force would be something that the government would lead and direct and that corporations and other entities would provide a substantial amount of people and resources to operate. Article I, Section 8 of the US Constitution authorizes Congress “to provide for calling forth the Militia to execute the Laws of the Union, suppress Insurrections and repel Invasions”. Essentially, this would be the government calling up a modern day cyber militia to repel cyber espionage against the United States.

* Being a modern day United States Navy Captain who is ordered to combat pirates has got to be a great assignment to get.  You're not playing second fiddle protecting an aircraft carrier and you get to experience what some of your early peers did during the age of sail. If I were a commander who received those orders, I've had a hard time not putting on a bicorne hat and ordering my crew to somehow rig a sail on my shiny modern Oliver Hazard Perry class frigate.