Recently, a Google executive, decrying the danger of cyber attacks claimed that “Our society is in real jeopardy.” I agree but rather than argue that passive “high-quality cybersecurity must be a pillar of modern society” I contend the opposite: It is time to take the fight to Malicious Cyber Actors.
Just like Steve Austin at the start of the 1970s television show “The Six Million Dollar Man”, our Internet is “barely alive.” Beset by malicious actors intent on preying on our personal privacy and property rights; the greater harm they do is denying to us the full realization of the potential of the Internet to usher in a new economic prosperity for all of mankind. I herein claim – akin to Oscar Goldman in the Six Million Dollar Man – that we can rebuild the Internet; We have the technology, We have the legal capability. If we are brave enough to do so, the Internet will be: “Better… stronger… faster.”
The Technology: A vast array of existing software tools are available to be deployed in offensive cyber attacks against malicious cyber actors to pursue, publicly identify, plunder their assets and punish, virtually – and in the real world – these 21st Century hostis humani generis or enemies of mankind.
The Capability: Under the existing international legal framework the United States presently has legal authority through Moiety Money and Letters of Marque and Reprisal to offensively respond to the asymmetric cyber-war declared on the United States by these malicious actors. Additionally, seventy percent (70%) of the world’s Internet traffic passes through data centers in Loudoun County, Virginia providing both legal and practical authority to the United States over the Internet to require identification of all users of the Internet thereby unmasking these cyber hostis humani generis.
Patently, in this cyber-war, our federal government, which by its very Charter was organized to provide for the “common defense”, is failing and failing miserably. If we are brave enough to do so, we can fight back and realize an Internet well policed by the United States resulting in a ”better… stronger… faster” Internet. Most importantly, we will be rewarded by this effort with significant economic growth now lost to data stolen by these cyber hostis humani generis.
- The Unacceptable Status Quo
The Internet is a trans-border domain – best estimates are that roughly 2.5 billion people and more than 1 trillion “Internet of things” are connected to the network. In that domain, We, the People of the United States, are under constant cyber attack. So forget the semantics: These cyber attacks are nothing short of war on our way of life by another name. We are at Cyber War with malicious actors.
Hacking attacks on U.S. companies often originate overseas and transit foreign servers. Looking at just the total number of annual malware events – 170 million across all organizations – the simple math results in the conclusion that five (5) malware events occur every second. The forecasted average loss for a breach of 1,000 records is between $52,000 and $87,000. Obviously, our federal government presently cannot – as promulgated in the Constitution – provide for our “common (cyber) defense” in this Cyber War. However, it is not just personal information that is being compromised, but the very foundation of our economy. The Commission on the Theft of American Intellectual Property recently concluded that: “The scale of international theft of American intellectual property is unprecedented – hundreds of billions of dollars per year, on the order of the size of U.S. exports to Asia. . . .The American response to date of hectoring governments and prosecuting individuals has been utterly inadequate to deal with the problem.
In conventional kinetic warfare this defensive passivity would be considered entirely nonsensical, given the available active strategies, such as counterattacks and deception. Nevertheless, today’s federal policy and legal framework for guiding and regulating the response to these constant cyber-attacks is ill-formed, undeveloped, and highly uncertain. All public policy related to cyber attacks solely focuses on defending domestic computer systems and networks against attack.
Inanely, resort to offensive cyber strategies – “Hack-Back” in cyber parlance – is presently prohibited by federal laws criminalizing any retaliatory self-defense against these virtual assaults. For example, the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. and the Fraud and Related Activity in Connection with Access Devices, 18 U.S.C. §1029 both prohibit and criminalize individuals and corporations from undertaking Hack-Back activities. Starkly, the Justice Department’s Manual on Computer Crime, states: “Although it may be tempting to do so (especially if the attack is ongoing), the company should not take any offensive measures on its own, such as ‘hacking back’ into the attacker’s computer – even if such measures could in theory be characterized as defensive. Doing so may be illegal, regardless of the motive. . . [T]he company’s system administrator can contact the system administrator from the attacking computer to request assistance in stopping the attack or in determining its true point of origin.”
Good luck asking a North Korean network system administrator for assistance in stopping a cyber attack emanating from his computer network.
- We Have the Technology
Cyber security specialists categorize the main Cyber Offense tactics as the three “A”s: Annoyance, Attribution and Attack. Annoyance involves tracking a hacker and leading him into a fake server, thereby wasting his time. However, wasting a hacker’s time is ineffective given the computing power which amplifies the “time” a hacker has at his disposal.
Attribution uses tools to trace the source of an attack back to a specific location, or even an individual hacker. Once known, the identity of the hacker can be dutifully reported to police authorities. Obviously, with the vast majority of hackers being situated in countries which possess neither the resources nor will to prosecute these malicious actors, such “reporting” is practically useless to stop further attacks. Cybersecurity experts criticized efforts to prosecute cybercriminals as a waste of time and say the people who are arrested are rarely the right people: They’re often the middlemen instead of the kingpins.
Thus it is the third “A” – Attack – that remains to secure the Internet from malicious actors. To “Hack Back,” a company accesses a hacker’s computer to disrupt, deny, degrade, or destroy the information within that computer and/or the hacker’s computers/networks themselves. These steps are presently illegal under federal law.
A selection of such cyber offense tools – presently banned from use by Congressional action – would allow significant negative consequences to follow cyber attacks on the interests of the United States, its Citizens and corporate entities. For example:
- Booby Trapping Software: Booby trapping software can serve as an automatic start to the counter-attack process. As an automated response, booby traps could quickly engage the attacker before he or she even realizes that the attack has failed. This would allow the counter-attack to catch the attacker unaware and before he or she has a chance to retreat and abandon the source of the attack. With automated attack toolkits such as Metasploit, an automated counter-attack may gain access to the offending system thereby allowing an escalation of the Hack-Back to virtually harm the attacker. The result: Restoring equilibrium between attackers and defenders in the digital domain.
- Sniffer Software: Botnets are one of the biggest threats to computers and networks. The botnet infects a computer then connects the computer to the hacker’s command and control server (“C&C server”). The botnet runs in the background and communicates with the C&C server to receive instruction that typically involves being part of malicious activities performed against networks without the knowledge of the owner. The victims of the botnet attacks number in the millions of infected computers. Sniffer software tools are able to identify the C&C server domain names and Internet Protocol address – a numerical label assigned to each computer connected to a computer network that uses the Internet – that have been contacted by the infected host. Once identified, software is available to shut down the C&C server and thus stop the cyber attacks. Indeed, it is possible to remotely physically destroy the C&C server by setting it on fire by: (i) disabling the computer’s fan and overheating the computer until it catches on fire or (ii) reading the values from the computer’s internal battery, reprograming the battery’s firmware, and then overcharging the batteries until they catch on fire.
- Anti-Worms: An Internet worm is type of malicious software that self-replicates and distributes copies of itself to its network. These independent virtual viruses spread through the Internet, break into computers, and replicate without intervention from and unbeknownst to computer users. Among the most notorious malware worms were the CodeRed, Blaster and Slammer worms which collectively caused billions of dollars of damage. Yet, rather than just constantly patching the software holes that allow Internet worms to proliferate, there exists a method that transforms a malicious worm into an anti-worm which disinfects its original. Yet, use of such anti-worms is prohibited by federal law.
- Attribution Techniques: Cyber-attackers launch attacks through numerous computer stepping-stones to hide their identities as they steal confidential information from victims. By using stepping-stones, it becomes very difficult to trace-back the attack to the originating computer. A Pebbletrace scheme imbeds Zero-day based Pebbleware in the stolen information and thereby enables investigators to trace-back to the attacker’s machine which has the stolen information. Likewise, (i) the “honey badger,” locates the source of an attack, tracking its latitude and longitude with a satellite picture, and (ii) “beacons”, which are placed in documents to detect when and where data is accessed outside the user’s system. Upon such information the identify of the attacker and his physical location can be known. Yet, as above, use of these software techniques enter the gray area of the law potentially subjecting the user to federal criminal prosecution for Hacking-Back.
In sum, at present there exists a wide-range of publicly available offensive cyber attack capabilities – and many more not publicly known and/or yet to be created – to allow those under cyber attack to defend themselves by striking back again malicious cyber actors. Yet, federal law prohibits such basic self-defense by individuals and corporate entities.
Instead, our presently authorized offensive cyber actions are confined to the military which presents two obvious problems. First, there is an ever-diminishing pool of talented recruits from which the military can draw. According to a 2009 report from Mission Readiness: “27 percent of young Americans are too overweight to join the military.” Thus, the pool from which the military may draw upon for recruits is nearly 30% smaller due to obesity. This is a huge waste of intellectual talent in a cyber war which does not require physical fitness.
Imagine this: Our present video-game generation turned loose on real-world gaming in which the malicious cyber actors are the prey to be identified, confronted and destroyed. At present, there are currently over 34 million core video gamers in the United States, and they are playing video games for an average of 22 hours every week. Image further those millions of man-hours put to use developing new offensive cyber software, tracking down malicious actors and engaging them in a manner which benefits society, rather than solely the self-gratifying, synthetically-significant, onanistic behavior of these video gamers.
Second, deployment of these offensive cyber military resources is limited by the Law of Armed Conflict which presently does not easily allow release of these offensive cyber weapons in the interest of private sector economic concerns.
The take-away from this picture should be self-evident: Unleash – in a controlled fashion – the potential of the crowd upon our cyber attack problem and the result will be spectacular. Better software, better cyber watch-dogs, in short, a better Internet.
III. We Have the Legal Capability
Along with the Technology to fight the cyber threats to our way of life, we have the present Legal Capability to offensively engage the malicious cyber actors. Admittedly, in 2009, the self-appointed-arbiter-of-all-things-legal, the American Bar Association declared that: “the single greatest difficulty encountered thus far in the development of a legal response [to the national security cyber threat] lies in the transnational nature of cyberspace and the need to secure international agreement for broadly applicable laws controlling offenses in cyberspace.”
I strongly disagree.
The United States does not “need to secure international agreement” for controlling offenses in Cyberspace. Instead, as we have done the last two centuries, we must lead by utilizing the existing legal framework with fearless integrity to make right what we – the United States alone – have wrought: An anonymous internet more damaging every day to the privacy and property of the United States, its Citizens and corporate entities.
By deploying two well-established legal vehicles – Moiety Money and Letters of Marque and Reprisal – and removing the anonymous nature of the Internet, order can be imposed upon the damaging chaos of the Internet we have created.
- Moiety Money
The first step to regaining control of and imposing law and order in cyberspace is employing the well-established role of “Moiety Money” to pay informants for providing information leading to the identification and/or arrest of cyber-criminals. These schemes are variously known as “reward programs”, “bounty schemes”, “incentive payment programs”, and “moiety acts”.
Remarkably, Congress has not established similar bounty schemes for those malicious cyber actors who cause significant damage to the economy of the United States. Instead, Congress has affirmatively hampered pursuit of these malicious cyber actors by those who have the skill and who could be monetarily motivated to identify these individuals. Patently, a bounty scheme which would release individuals and corporate entities to turn their talents to this problem and handsomely reward them for success could go a long way in cleaning up our virtual Dodge City.
The point should be plain: Motivate and harness the power of the crowd to lend their diverse talents to augment the limited resources of the government by handsomely rewarding efforts that result in successful identification of malicious cyber actors.
- Letters of Marque and Reprisal
Yet Moiety money is not enough as it limits crowd-sourced cyber investigators to passive acts of research: an army of cyber Sherlock Holmes sniffing for clues and making connections between disparate bits of evidence yet without the ability to bring the cyber pirates to justice . Much more is needed now, as it was two hundred years ago when our founding fathers faced an analogous threat to the security and commercial interests of the newly-formed United States by high seas pirates. Their response?
Article I, Section VIII of the U.S. Constitution which states in relevant part: “The Congress shall have Power To . . . grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water.” Letters of Marque and Reprisal are: “a license authorizing a private citizen to engage in reprisals against citizens or vessels of another nation.” Privateers were authorized by the State not only to protect their own interests, but to aid in the war effort by assisting in the destruction of the commerce of the hostile nation. They paid for themselves, in the end, with profits from the commerce they destroyed.
Subsequently, under authority of Article I, Section VIII, Congress enacted legislation permitting the seizure of pirate vessels. In the case of United States v. The Brig Malek Adhel (1844), a pirate vessel was seized in Brazil. In approving of the seizure, the United States Supreme Court held that: “a pirate is deemed, and properly deemed, hostis humani generis because he commits hostilities upon subjects and property of any or all nations, without any regard to right or duty, or any pretense of public authority.” Thus piracy obtained the status as a jus cogens norm and any nation can enforce and punish pirates, wherever the culprits may be found and without regard to where the offense occurred. It is worth a moment’s detour to recognize that while the 1856 Paris Declaration Respecting Maritime Law abolished Privateering through Letters of Marque and Reprisal, the United States never ratified this Declaration. As such the Declaration does not de facto nor de jure prohibit the United States from issuing such Letters of Marque and Reprisal.
Lacking now a similar capability to confront our cyber enemies, it is time Congress dusted off the Letters of Marque and Reprisal authority it possesses and unleash our cyber-privateers to confront the cyber pirates.
- Re-writing the Rules of the Internet Road
Last, it is time to invoke the “nuclear” option to control malicious cyber actors. This option involves quarantining the areas of the globe from access to the U.S. Internet until such areas adopt our policies to prevent anonymous use of the Internet. While many arguments can be made to allow anonymous use of the Internet, the simple fact remains that such egalitarian goals must now fall to the reality of the harm anonymous users are causing to the security and economy of the United States. Accordingly, it is time to require that access to the Internet be conditioned upon identification of each user of the Internet.
To understand our present ability to de-anonymize the Internet, an understanding of the basic Internet infrastructure is needed. That infrastructure has three relevant major components: (i) Internet Protocol Addresses, (ii) Tier One Internet Service Providers, (iii) Regional Internet Registries.
- Internet Protocol Addresses
First, every device that accesses the Internet is physically connected – by cable or wireless network (Wi-Fi) – to a network of devices which are further connected to other networks of devices to allow global connectivity. Each computer on the network is identified by an Internet Protocol address which is a string of 16 digits used to identify a computer on the network which tells a network your location in the world and your individual identity on the network.
Before the howls of the cosmopolitan elite are screeched in response to this fact and my proposal to make it standard practice to require Static Internet Protocol addresses mandatory to allow such Internet-use tracking, consider this analogy: On the actual highways of the world, do we allow the drivers of vehicles to operate anonymously? The answer, of course is no. The reason is plain: In so much as vehicle operators can cause significant property damage and injuries and/or death to persons, their identities must be know. Accordingly, in order to hold the operators of vehicles accountable for their actions, we require driver’s licenses, vehicle registrations, license plates and, significantly, vehicle identification numbers unique to each vehicle on the road worldwide. In that way, if a breach of the law occurs, the perpetrator can be identified and called to account for any damage done. For the same reason, the identification of each Internet user must be required.
- Tier One Internet Service Providers
Second, the Internet is divided into Autonomous System Networks which operate independently while cooperating with each other by exchanging routing information for Internet traffic to achieve a global connectivity.
A Tier One Autonomous System Network Internet Service Provider (“ISP”) represents the highest level of Internet Service Provider in its region and all lower tier level ISPs must channel their traffic through a Tier One ISP in order to be connected to the rest of the Internet.
Given this structure, Congressional/Executive action to control the traffic on the Internet into United States based computers can be accomplished by imposing “Rules of the Internet Road” on these Tier One ISPs. Presently, the Office of Foreign Asset Control orders financial institutions to block the assets of narcotic smugglers and terrorists from transfer from or to them. Likewise, Congress can create an Office of Internet Protocol Address Control agency which would order the Tier One ISPs to block all Internet communications to or from identified malicious cyber-actor computers and the Autonomous System Networks from which they are operating.
Additionally, if the Tier One ISPs are obdurate, a few tactical kinetic snips of the submarine cables which physically connect the World’s computers will free the United States from Nigerian Princes seeking to expatriate their vast wealth, North Korean hackers and other malicious cyber actors from troubling our economy and privacy any more.
- Regional Internet Registry
Last, the Internet’s operation is controlled by Regional Internet Registries which are organizations that manage the allocation and registration of Internet number resources within a particular geographic region of the world. The Regional Internet Registry system evolved over time, eventually dividing the world into five Regional Internet Registries which allocate Internet Protocol addresses:
- American Registry for Internet Numbers (ARIN) for North America
- Réseaux IP Européens – Network Coordination Centre (RIPE NCC) for Europe, the Middle East, and Central Asia
- Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region
- Latin American and Caribbean Internet Addresses Registry (LACNIC) for Latin America and the Caribbean region
- African Network Information Center (AfriNIC) was created in 2004 to manage allocations for Africa
The Internet number resources allocated by the Regional Internet Registries include: (i) Internet Protocol addresses and (ii) Autonomous System Network numbers. As such, ARIN could require as a condition of continued assignment of an Autonomous System Network number to a Tier One ISP that they require identification of each person who utilizes a computer network which traverses their Autonomous System Network. As with state-issued driver’s licenses, each lower tier ISP would be obligated to obtain satisfactory identification of the owner/user of each Static Internet Protocol address which is assigned. A unique Internet User’s License similar to the Driver’s License would be required of each person each time they log-on to the Internet.
Moreover, until the other four Regional Internet Registries agree to comply with this identification requirement, all their traffic would be blocked by the Tier One ISP from entering or leaving North America. Simply put, if you want to access the markets and peoples of North America, then you have to play by our Rules of the Internet Road. If they refuse, God Speed, we can do without them.
Plainly, there are significant technical and phase-in issues to be addressed to implement such a scheme. However, the question I pose in response to the expected virulent objections is this: What is the alternative? More of the status quo where the economy of the United States loses billions of dollars annually? Our national security compromised by frequent credit card, health and financial information breaches?
IV. Are We Brave Enough?
We have the Technology. We have the Legal Capability. But are we brave enough to come from behind our ever thicker and ever taller cyber Maginot Line and take the fight to the malicious actors who attack us?
In the 18th Century, that founding generation did not hesitate to declare their freedom from the yoke of Britain with offensive action. In the 19th Century, when faced with conflicts which threatened to tear this nation apart, our predecessors sprung to offensive action to preserve a Union by refusing to permit slavery to tarnish the organic law premise of these United States that “all men are created equal”. In the 20th Century, the “greatest generation” took up arms to defeat the chaos and terror of global fascism.
What will be the future judgment upon those of us of the 21st Century who, by our passive response to this Century’s cyber-fascism, cyber-terror and cyber-threats, imperiled the precious rights and way of life our predecessors sacrificed their blood and tears to bless us with?
My answer is plain and to explicate it I quote Abraham Lincoln: “America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves.” We are destroying our freedoms and thus our country by allowing attacks upon our way of life without offensive response. This must stop if we are to hold our heads high if and when we meet our fore-bearers on judgement day.
Accordingly, Congress must not only remove the handcuffs which are preventing us from protecting our “lives, liberty and the pursuit of happiness”, but lead the fight by: (i) rewarding through Moiety Money the crowd for policing the Internet, (ii) unleashing the crowd by Letters of Marque and Reprisal to Hack-Back against malicious cyber-actors and (iii) embarking on a “Manhattan Project” to sanitize the Internet through denying access to U.S. physically based Computers by Autonomous System Networks that fail to comply with the new Rules of the Internet Road written by We the People of the United States of America. If done, the Internet will be “Better . . . stronger . . . faster.”