Should private companies and governments be able to retaliate against a cyber-attack by destructively counter-striking against attackers?
Is this a reactive policy to help insulate critical services from damage as well as mitigate harm from potential attacks or merely “hack back” vigilantism?
Private companies should have It become legal for them to be able to moderate cyber attacks by actively being involved in the tracing, tracking and decision making process of hacking back; it is the governments who should set the parameters for the private companies and also follow the process of law for punishment. Cyber attacks know no borders and can happen from all over the globe, so it is important that an international regulating body oversees the appropriateness in response to hacking back. Having a multi layer approach to retaliating to cyber attacks will create a separation of powers; this more contemporary approach to cyber crime means that no one entity can over step their jurisdiction and will prevent vigilantism. There is however one issue that currently arises with the current legislative understanding of cyber crime; the current legislation over simplifies cyber crime and give an outdated perspective. The consequence of this is that it ignores that important issues of cyber crime such as harming of innocent, educational prevention, proportionality, regulating powers, power corruption and the interests’ private companies have overseeing justice.
The cyber world and all legalities involved with it including cyber crime and cyber attacks has created huge ambiguity to the legal parameters and the appropriateness of response. This grey area has created so much confusion as to what the retaliations limits in response to a cyber attack. Currently, there are no clear guidelines outlining legally acceptable or unacceptable cyber retaliatory actions, but there are strong indicators across U.S. government agencies that the right to counter attack cyber aggressors is a valid and legal response to acts of aggression (Kevin L. McLaughlin, 2011). This makes it dangerous for private companies and governments to respond to a cyber attack, especially under the current definitions of warfare (Nykodym 2004 and Peagler, 2014). This uncertainty can create misconceptions which misguide responses of proportionality in retaliation attacks, this kind of discrepancies could have detrimental effects which could lead to the harming of innocent victims (Denning, 2014). To change to current confusion of how to respond to current cyber attacks we first need to change the perception and current definition of legal warfare which has existed from Carl Von Clausewitz since the 18th century. Kerchinschnig (2012) believed that a “different approach to cyber crime considered under more modern understandings of how warfare is defined should be addressed”, this will allow the definition to become consistent.
We can first start to change our understanding of warfare by looking at the Stuxnet virus attack. This will attack helps create a more contemporary understanding of what warfare is and how cyber crime can be regulated. This attack involved the bringing of a virus on a USB into an Iranian facility which was plugged into the internal system and made its way through their network infecting all of the electronic infrastructure. The virus infected turbine centrifuges which resultantly was the first ever physical damage bought on by a computer virus (Rid, 2013). This attack created a huge shift in the understanding of what constitute cyber crime and popularised the idea of how very real of a threat cyber crime can be. Lindsey (2013) called Stuxnet the “harbinger of a new form of digital warfare.” It is clear from this that the definitions of cyber crime would have to change and with it there need to be more laws established for the protection of companies. A long with the legal dilemma there is also an ethical one too; they ask a few questions what is an appropriate response? who takes the responsibility? how can someone be answerable for a hack or an attack with issues of inter-country protection and dated laws? And most importantly how can a company protect themselves. The Stuxnet attack at is time was an unparalleled form of warfare and totally changed the game in how you can damage infrastructure without a physical attack. In the U.N charter under article 51 it states that self defence is allowed for armed attacks making the Iranian organisation unable to retaliate. Never the less as for mentioned McLaughlin (2011) states that “government agencies that the right to counter attack cyber aggressors is a valid and legal response to acts of aggression.” Uncertainty like this creates legal ambiguity for organisation about what parameters can be taken. The issue with this is different organisations could take different approaches to protecting themselves and attacking back. This is why a more contemporary legal framework is needed surrounding these issues, this framework should provide answers on how to respond to these new forms of cyber attacks (Halberstem, 2013).
Another issue that arises when looking at the ability for private companies to counter strike against attackers is the issue with who can be at fault, or how performed the attack. Again, if we look at the Stuxnet attack the Iranian company responding to the attack would be difficult as there was no definitive ruling as to who was held responsible for the attack. Iran would only able to respond on speculation and that is not legally justifiable, as there is no international laws or rules on how they can respond. It is extremely difficult for private companies and governments to determine who attacked them and what data was stolen (Kallberg, 2015). Having unclear legal guidelines with little international response means that organisations are left to deal with attacks on their own with no response from law enforcement (Brenner, 2004). This creates a dangerous recipe for organisations overstepping boundaries or overusing hack backs without proportionality creating too much vigilantism. This is why an international body who governs cyber crime attacks needs to be established to create more consistent laws that develop and change with the ever changing environment of technology. An international body who governs in connection with countries own law enforcement will create ease in supporting international cyber crime. The current issue with cybercrime is the difficult of enforcing and defining legal rights. “Currently national laws and civil jurisdiction stop at each country’s borders, this makes enforcement and response from law enforcement to punish the ordered often non-existent or delayed resulting in effect identification and follow up cannot take place (Karnow, 2005). An international body would create ease and protection allowing for consistent protection for companies and punishment for those performing the hacks. A regulatory body would furthermore provide with determining who was at fault and protect innocent people. This alternative approach focuses on establishing strong collaboration among law enforcement, private and public sector organizations to determine effective attack prevention methodologies and processes (Brenner, 2004). Furthermore, It would be appropriate for the international to adopt current regulations to help with the governing of the cyber world. The National Institute of Standards in Technology (NIST) has a special publication (SP) 800-61 which outlines process steps that organisations should follow when conducting incident response operations (Cichonski, Millar, Grance, Scarfone,. 2013). The standard recommends that organisations follow a policy of preparation, detection, analysis, containment or eradication. Recovery and post incident activity (Grance, Kent and Kim 2004). These types of policy allow organisations to take an approach to protecting themselves without overstepping international boundaries and can help with the prevention of similar attacks as there is greater understanding on how to protect.
Never the less an international body wouldn’t solve the answers to every response to cyber crime. That is not to say that having international laws and statute would protect thousands of business and governments. Furthermore, an international body that works with world governments would shift the focus of a historical passive defence and reactive response to cyber crime towards a more aggressive model which would impose penalties and repercussions on attackers, this could be seen in disabling or destroying their equipment (Grove, Goodman and Lukasik, 2000). However, this type of international law is not always followed and can create discrepancies when countries try to offensively hack back. Whilst the international body might help with mitigation from harm by using their laws as a deterrence, internationally there is still so much anonymity through the digital world. This anonymity means that countries have to protect themselves with reactive responses to hacking as the international body would find It hard to regulate. With so many attacks happening so often investigating and persecuting all violations would be very time and money consuming (Iasiello, 2014). There needs to be an environment of personal accountability for everyone to do their part in reducing overall cases of cyber crime and the need for retaliatory attacks (Huey, Nhan and Broll, 2013). However, this brings the issue of how much personal accountability can be taken into a single governments hands when protecting their own country. In the United states of America, the Department of Defence has the legal authority of the President to launch both a cyber and physical counter attack against an aggressor if that is deemed the best course of retaliatory action (Messmer, 2007). Additionally, to this each United States military organisation has a cyber response team that are capable of launching or assisting in cyber counter attacks which is supported with military action (Messmer, 2007). This brings the question of proportionality and vigilantism when retaliating to the attacks. Even though an international governing body would attempt at preventing the need for such force it also raises the question in how best a country can defend and protect its self beyond the governing body. The United States is such a wealthy country that they could unleash their full force on another country which would only be using digital and cyber attacks, which perhaps is more of them just protecting their own intellectual property. This is when the international body would need to intervene in order to keep cohesion and constancy.
Another issue than can arise from countries organisations and governments taking counter striking cyber attacks into their own hands is the idea that countries can have political motives and incentives to do so. There are many criminologists who believe that danger of cyber attack is greatly exaggerated (Zavrsnik, 2008). Furthermore, many experts believe there is a bias towards making threats appear worse than they are (Zarvsnik, 2008). This hype and over exaggeration of cyber attacks means that governments can use this to their advantage and use what they deem to be appropriate means to hack back in a proportionate way to the perception of those ‘attacks’ against them. This could create political or financial motives for companies to access competitor and customer data (Conti, 2011). This furthermore solidifies the need for a governing body to oversee these cyber attacks and legislate in order to keep consistency in what is deemed fair in protecting themselves or hacking back. All future cyber legislation should be done in a way that doesn’t allow private companies or governments to take an economic advantage. Instead the new laws should reflect all nations best interests (Schmitt, 2014).
One way we can still allow governments and organisations to respond proactively to hacking attempts proportionally is by using education to help prevent potential hacks. This will prevent the need for destructive counter strikes and intervention from the international body. Education is such a vital part of protecting computer systems when so much money is invested in hardware and software (Major, 2009). Moreover, companies and governments need to address basic security when reviewing their obligations to data protection, some procedures are often ignored, responding to these can reduce the instances of serious security vulnerabilities (Parker, 2014). Companies could look at security measures such as network security, two-factor authentication and biometrics as access to systems as well as clearance and checks before employment. Failure to help protect themselves from cyber attacks in this way would have negative business impacts. This means that companies need to spend time and resources developing methods for legal response in correlation with the proposed international body that will safeguard their systems and data. This creates a highly delicate balance between education, highly secure cyber environments and ensuring business are still able to function (Kuipers, 2006). This type of defensive security measures and education means that it would take the strain of governments and private companies defending themselves against attacks. Actions such as this would prevent hack back vigilantism as a response to cyber crime and help organisations better prepare themselves through education.
To summarise private companies and governments being able to respond to cyber attacks on their own merits raises great concerns and complications for it to be a practicable process. If we change our perception of the current definitions of warfare we can provide better legal amplification which will result in better justice for all involved in cyber crime. This can be furthermore solidified through Government education and protocols such as those set out by NIST to help companies better prepare and protect themselves against attacks. This can reduce the amount of cases which is a direct result of awareness of risks and repairing vulnerabilities. Furthermore, this will all be better protected with the use of establishing an international governing body. This governing body will help with preventing Governments from overstepping boundaries and creating consistency with what is necessary retaliation when counter striking against cyber attacks. The international body will further help create laws and protections at an international level that all must adhere to, this will prevent motive based attacks. Additionally, this will also create righter regulation on countries higher powers with mitigating attacks and ensure the right amount of proportionality is being followed. This will help address concerns with private companies using their own actions when hacking. This will maintain laws only address justice for all and everyone’s best interest. This separation of powers from private, government bodies and international protectors would eliminate the need for companies needing to destructively hack back and would eradicate unnecessary vigilantism. All these limitations and protections on cyber attacks and cyber securities will prove to be the most just action, that coupled with cooperation from all parties will prove to be the most successful way of tackling this issue.
References
Brenner, S. W. (2004). Toward a criminal law for cyberspace: A new model of law enforcement. Rutgers Computer & Tech. LJ, 30, 1.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2013). Computer security incident handling guide. International Journal of Computer Research, 20(4), 459.
Conti, Gregory (2011). Hacking Competitors and Their Untapped Potential for Security Education. IEEE Security & Privacy. Vol. 9 (3). Pages 56-59
Denning, D (2014). Framework and principles for active cyber defense. Computers and Security. Vol. 40 pages 108-113
Grance, T., Kent, K., & Kim, B. (2004). Computer security incident handling guide. NIST Special Publication, 800(61), 11.
Grove, G. D., Goodman, S. E., & Lukasik, S. J. (2000). Cyber-attacks and International law. Survival, 42(3), 89-103.
Halberstem, M (2013). Hacking back: reevaluating the legality of retaliatory cyberattack’s. The George Washington International Law Review. Vol 46 (1). Pages 199-237
Huey, L. Nhan, J & Broll, R (2013). ‘Uppity civilians’ and ‘cyber-vigilantes’: The role of the general public in policing cyber-crime. Criminology and Criminal Justice. Vol. 13 (1). Pages 81-97
Iasiello, E (2014). Hacking back: not the right solution. Parameters. 44.3
Kallberg, J. (2015). Bringing Fear to the Perpetrators: Humanitarian Cyber Operations as Evidence Gathering and Deterrence. Strategic Analysis, 39(4), 423-427.
Karnow, C. E. (2005). Launch on warning: Aggressive defense of computer systems. Yale Journal of Law and Technology, 7(1), 4.
Kerschischnig, G (2012). Cyberthreats and International Law. Utrecht Journal of International and European Law. Vol. 29 (73)
Kuipers, D., & Fabro, M. (2006). Control systems cyber security: Defense in depth strategies (No. INL/EXT-06-11478). Idaho National Laboratory (INL).
Lindsay JR (2013). Stuxnet and the limits of cyber warfare. Security Studies, 22(3): 365-404.
Major, S (2009). Social Engineering, Hacking the Wetware! Information Security Journal: A Global Perspective. Vol. 28 (1). 40-46
McLaughlin, K. L. (2011). Cyber Attack! Is a Counter Attack Warranted?. Information Security Journal: A Global Perspective, 20(1), 58-64.
Messmer, E. (2007). Us cyber counterattack: Bomb’em one way or the other. Network World, 12.
Rid, T. (2012). Cyber war will not take place. Journal of strategic studies, 35(1), 5-32.
Schmitt, M (2014). Rewired warfare: rethinking the law of cyber attack. International Review of the Red Cross. Vol. 96 (893). Pages 189-206
Zavrsnik, A. (2008). Cybercrime definitional challenges and criminological particularities. Masaryk UJL & Tech., 2, 1.