Self Defense in Cyberspace: Law and Policy

Abstract

In the last year, public discussion of cybercrime has a few major buzz words, including Stuxnet, zero-day vulnerabilities, Anonymous, HBGary, RSA, and Lockheed Martin. The Stuxnet worm exploited four zero-day vulnerabilities in the summer of 2010 and damaged Iranian nuclear infrastructure. In February 2011, security firm and government contractor HBGary Federal announced that they intended to go after individuals involved in the loose knit group of hackers that call themselves Anonymous, and Anonymous responded by hacking into HBGary Federal’s systems and publishing confidential company emails on the web that revealed some of HBGary Federal’s questionable activities. Security firm RSA, which produces SecurID two-factor authentication technology, revealed in March 2011 that information relating to this technology was obtained by advanced hacking techniques. The effects of the RSA breach started to become more apparent in May 2011 when government contractor Lockheed Martin experienced cyber intrusions using counterfeit SecurID security keys. In August 2011, another term was added when McAfee’s research division announced the results of an investigation: Five years. McAfee asserts that for the last five years, major cyber intrusions have been occurring, likely by the same actor or group, giving the intruders access to national secrets, SCADA configurations, source code, design schematics, and much more. The source of these intrusions is not known, though many suspect state actors, and Republican presidential primary candidate Jon Huntsman stated during the Republican presidential debates that he considers such cyber attacks to be acts of war. With the significant technological development occurring in this area, the legal framework is still lacking. There is arguably not currently an effective way of addressing cybercrime under criminal law, and private remedies through lawsuits are likely to be inadequate. Congress has been making progress towards addressing cybersecurity issues, but between a Congressional Cybersecurity Caucus, a Cybersecurity Task Force, and several different congressional committees that assert jurisdiction over cybersecurity issues, clear congressional consensus on the topic is likely to be a long time coming. The urgency of the topic and the current lack of guidance leaves potential targets with the need to defend their own systems. Our research began with a broad focus: analyzing the legal framework surrounding cybersecurity issues and making recommendations for implementing a framework that would permit the use of active self-defense in cyberspace ('active defense'), as opposed to requiring network administrators to always rely solely on the passive defense options of firewalls, patches, and antivirus software. Active defense includes technologies that detect attacks, trace the attacks to their source, and enable counterstrikes to halt the attacks.