Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It)

10 Dec 2012 David Dittrich active-defense active-response-continuum counter-attack crowdstrike ethics hack-back

This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined “new approach” of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate “rules of engagement,” principle-based ethical justifications of any type beyond basic “right of self-defense” arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin’s own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.

Mr. Bardin’s blog post illustrates some of the problems with discussion of this topic that I have seen over and over since the first workshops I attended or lead on this topic in Seattle’s Agora security group from 2001 to 2004. I have been studying and discussing these issues for over a decade and have seen the same simplistic arguments repeated in nearly every discussion. Useful analogies in this realm are really hard to find and almost always fail. Part of the problem stems from non-technical people trying to discuss extremely technical and complex issues of computer network attack and defense, combined with rushing to simple “self defense” analogies and appeals to emotion, suggesting we have to do something, anything, to get satisfaction. Frequently left out is any meaningful discussion of ethics, “rules of engagement,” responsibility, or accountability.

If my response here comes across as vehement opposition, it is not intended that way. If anything, it shares Mr. Bardin’s frustration that we have gotten to the point where intrusions are so widespread and pervasive, but we differ in explaining why and in proposing a viable path forward. Just listen to my invited talk at the 9th Usenix Security Symposium in 2000 and you will see suggestions (based on active response activities I was performing at the time) for ways to improve the situation. Or read the report from the CERT/CC Distributed Intruder Attack Tools Workshop in 1999 (Results of the Distributed-Systems Intruder Tools Workshop. CERT/CC, December 1999.) for recommendations to deal with widespread distributed attacks, many of which companies to this day fail to consider until they are taken offline by a DDoS attack.

The new approach of that is referred to in the article
of “hacking back,” “striking back,” or “active defense
(an oxymoron to begin with),” is described as alarming.
I find it to be refreshing and required.

Throughout this post I take issue with the language used by Mr. Bardin and others since the way language is used has implications. This issue actually goes back at least as far as 1998 in terms of government attention and public discussion of the issues from the Bill Clinton Administration. Jody Westby organized a panel at the American Bar Association meeting in 2004 with myself, John Christiansen, Ken Himma, and Ivan Orton during the period when I was studying the topic of “Ative Defense” with funding from Cisco Systems (see my web page for this project and another page I maintain of reference material.)

What Jody Westby is suggesting is that there are new calls to go offensive, but there have been similar calls in the past. Several companies have tried to offer “hack-back” services that failed to succeed because they were not well thought out. (E.g., IBM and the Lycos “Make Love not Spam” system both counter-attacked spammers; Symbiot tried to sell an “active defense” attack-back system, and Dish network remotely bricked the devices of suspected media pirates.) There are a range of actions from less intrusive to more intrusive, less risky to more risky, less aggressive to more aggressive. The situation is not as black and white as “do nothing” vs. “striking back” and “active defense” appears as an oxymoron to those who don’t understand its complexity. Setting up such a false dichotomy hinders responsible discussion of this topic. A better term that I coined and promote is the “Active Response Continuum” (or ARC, for short) precisely because this term better reflects the range of actions as opposed to a vague euphemism that naive listeners assume is the extreme end of the spectrum that is “counter-attack” or “hack-back.” Anyone who thinks and speaks in black and white in this area has already shown they don’t understand it well enough to be able to ethically justify the risks involved.

I mean no disrespect to Mr. Bardin, but the language and vehemence of his arguments deserve an equally strong response as this is not some simple intellectual banter, but a discussion about changing laws in ways that could turn the internet into a uncontrolled battlefield of private individuals and narrow self-interests that has the potential to harm millions of individuals’ computer systems (and thus their electronic assets) in a single misguided act. Such a serious topic deserves well-reasoned and thoughtful consideration before moving forward.

Having been a CISO and suffered continuous probes, scans,
hacking attempts, hacks, cyber intelligence gathering, cyber
espionage attempts along with sabotage, I can tell you directly
and accurately that most CISO’s agree with my approach. They
will not utilize such an approach since they are not authorized
to do so, do not have the skills, technology or capabilities to
do so but applaud those who don’t just stand in the ring taking
body shots and head blows from multiple opponents at the
same time.

A computer intrusion is nothing like standing in a boxing ring. If anything, it’s a failure of business policy and investment in computer network defense.

I know that many CISOs share Mr. Bardin’s frustration and will take satisfaction that someone/anyone is trying to strike back, but frustration is not justification for taking extreme risks in some attempt to seek retribution or punish an attacker. Neither of those are not acceptable ethical justifications for taking risky actions and an insufficient basis for supporting “striking back” in undefined ways. This discussion cannot end well if emotion and frustration are its foundation. Just because a lot of CISOs believe something does not make it right nor mean that it is a wise choice. At best, it shows widespread frustration and I can fully understand that frustration, but the calls to arms must answer to the voices of reason and be able to ethically and legally justify the path they wish society to go down.

The legal issues notwithstanding, offensive cyber actions are
the only way we are going to get our adversaries to pay
attention. Whether they are cyber criminals, foreign intelligence
services, cyber proxies, hackers, hacktivists, or some other
such adversary, we need to do more than just stand and take
a beating.

Again and again, I hear people use the “I’m mad as hell and I’m not going to take this anymore!” motivation for calls to go on the offensive. And using the “beating” and “not punching back” analogy, which is simply ludicrous. Again and again, I reject those arguments as a basis for making policy or law in an area as risky as this. Just because you are angry does not justify going on the offensive, and unless adequate guidelines and oversight exists the situation can get much worse than it is now.

Similar language and motivation is seen in numerous “Stand Your Ground” gun laws that grant vague rights of using lethal weapons in “self defense,” beyond the classic “Castle Doctrine” allowing protection of one’s home. Some of these “Stand Your Ground” law can be misinterpreted and misapplied by individuals who believe these laws empower them to assume law enforcement-like powers. The Travon Martin killing in Florida by George Zimmerman, a self-appointed neighborhood watchman armed with a pistol and confronting a teenager returning to his legitimate residence is one example. Another is the Joe Horn shooting in Texas of two people robbing a neighbor’s house who Mr. Horn didn’t even know. While disturbing, listen to the complete recording of the 9-1-1 call made by Joe Horn right before he left his house with a shotgun – despite being told numerous times by the 9-1-1 operator to not go outside – and killed two people who were robbing his neighbor’s house (not his house, his neighbor’s house). Mr. Horn uses the same language of frustration, dismissal of law enforcement efficacy, and intent to take matters into his own hands based on a new “Stand Your Ground” law in Texas. He can be heard saying, “I ain’t gonna let them go… I’m not going to let them get away with this shit… I don’t like this kind of stuff… I’m gonna shoot! I have a right to protect myself and the laws have been changed in the United States since September the 1st and you know that and I know that! … I’m sorry, I’m doing this! You can’t stop me from doing this! … I’m gonna kill ’em! … They’re getting away! … Here it goes, buddy! You hear the shotgun clicking and I’m going!” Mr Horn can then be heard on the 9-1-1 recording shooting both of the fleeing suspects, claiming he had no choice and had to defend himself because the intruders came after him and threatened his life.

When we attack the attackers (and this is not active defense), they
cannot attack us. Most cyber criminals have absolutely no defensive
posture whatsoever. When hit with an offensive attack, they quickly
shift their targets since it is not cost effective and their whole intent
is economic in nature.

With all due respect, this statement shows how someone in a position of authority, possessing insufficient technical expertise on the subject, is capable of leading us off the cliff. It is not universally true that a counter-attack will prevent an adversary from continuing to attack. Despite supporters of strike-back suggesting that “cyber land mines” that “blow up an attacker’s computer and wipe it out” are the way to go, that is simply a fiction (see response by DannyRoss to Ken Dilanian to “A new brand of cyber security: hacking the hackers”, December 2012.) Even wiping an attacker’s hard drive is highly unlikely to cause a motivated criminal to cease attacking. There is no equivalence between a land-mine capable of permanently blowing off someone’s leg and deleting files on a computer hard drive (which can be re-installed in minutes, or seconds if it is a virtual machine).

While some low-skilled attackers may freak out and get out of the game, in my experience over the past 15 years that is almost never the case with more skilled attackers. Read the Ghostnet report (Ronald Deibert, Arnav Manchanda, Rafal Rohozinski, Nart Villeneuve, and Greg Walton. “Tracking GhostNet: Investigating a cyber espionage network,” March 2009.) and Shadows in the Cloud report (Information Warfare Monitor and The Shadowserver Foundation. “Shadows in the Cloud: An investigation into cyber espionage 2.0,” April 2010.). You will see a case where even taking over their own infrastructure and tracking back to origination points for command and control did not deter the attackers, who continued for more than a year. And if someone wants to rebut what I just said by claiming I am picking out one case and ignoring others, you will have just proved my point re: Mr. Bardin’s over-generalization rather than refute it.

If an attacker has broken into someone’s network and has been there for months, they are almost certain to have more of your assets under their control than you know and thinking you know more than them and can do wipe them out in a single strike is hubris at best and idiocy at worst. If a CISO can’t make the decisions necessary to prevent an intrusion or detect it for 416 days (according to Mandiant) or even 173.4 days ([according to Trustwave Spiderlabs](https://www.trustwave.com/downloads/ Trustwave_WP_Global_Security_Report_2012.pdf)), why should anyone believe they know enough about the adversary to effectively and safely go on the offensive? And if they have to hire someone else to do it for them, how is that “self-defense?”

I am not placing the full blame on CISOs for the long time-to-detect. They operate within a corporate framework with the CFO, CEO, and others, and a business mindset that often places responsibility to reward shareholders above their responsibility to customers (including the U.S. government) whose data they possess and are supposed to be protecting. That is their choice, but they should also be called to account for this failure before they are granted immunity from computer crime statutes in order to “attack back.” The years of Boards of Directors and corporate executives being given a pass, claiming that nobody could have foreseen the attacks (many have been warning of these attacks for over a decade) and allowed to “self-regulate” have demonstrated many decision makers are unable to live up to their responsibilities to defend their own networks and should now be properly regulated – made to report breaches to law enforcement, made to pay for damages to individuals whose credit card numbers and identities are abused, held to account for failing to make decisions about system design, operation, and incident response that allow them to adequately save their own assets – before we even begin to discuss granting them immunity from computer crime statutes to go on the offensive.

Crowdstrike proclaims a great deal of services that they
believe are offensive in nature. I remain skeptical and see
them as cyber law enforcement (since they hired law
enforcement to run their services and law enforcement
legal to ensure their activities are legal). Sounds like
cyber law enforcement to me.

Really? This sounds to Mr. Bardin like law enforcement? Since when can a corporation unilaterally establish a business model that usurps or assumes law enforcement authority? Or is the suggestion that they will be prosecuting criminals, using judges or the courts for warrants and subpoenas, all with a basis in constitutional authority and oversight by courts and the legislature? I think the proper term here “vigilantism,” which is not accepted in western society. At best, such a service provider is are acting within a contractual relationship on the behalf of victims in collecting evidence that can then be used by law enforcement agencies for prosecution, or even for the victims themselves for civil legal action (torts) along the lines of multiple cases Microsoft has filed in U.S. courts over the past couple of years as part of their MARS initiative (although I have yet to see a statement that civil legal action is an end goal of “active defense” by those promoting it today.)

Assuming we are discussing private corporations engaging in investigation of criminal acts in parallel to, and without coordination with, law enforcement, let’s take a look at a real-life analog to this. In the UK, the News of the World hired private investigators to look into the case of Milly Dowler, a missing teenager later found murdered. The police were investigating the crime. The News of the World hired a private investigator who broke into her voice mail and, once it became full, deleted some of the messages to allow further voice mail messages to be left in hopes that would lead them (not law enforcement, but the media) to find clues as to who had abducted her. In an interview by a former News of the World editor, Paul MacMullan, he justifies these actions by saying that they were just trying to help the police (see this video and this video). He says, “We were doing our best to find the little girl,” and that, “The police are utterly incompetent and should be ashamed that the killer was allowed to carry on.” (http://www.digitalspy.co.uk/media/news/a353531/milly-dowler-phone-hacking-not-bad-thing-to-do-says-ex-notw-reporter.html). Mr. MacMullen repeats the story of someone calling in from Kenya (not exactly the jurisdiction in which the phone hacking occurred) whose argument he likes. The caller suggest that it might have been helpful “that some clever young journalists were investigating as well [as the police].” The investigator was operating without any guidance on appropriate methods, illegally accessed a victim’s phone voice mail, and had no ethical framework in which to balance their actions against harms. The result was that these acts caused immense false hope – later turned to renewed pain and grief – to Milly’s distraught parents who believed she was the one who had accessed the voice mail and this proved she was still alive. I don’t see much difference between Mr. Bardin’s statements and Mr. MacMullan’s that law enforcement is incapable and private actors would do a better job.

Without a discussion of the possible negative outcomes of unrestricted private sector actions to “help law enforcement” and how to mitigate them, such problems will become routine. I have heard federal law enforcement agents say that many times they have spent time issuing search warrants and subpoenas, only to collect evidence that leads to a “white hat” who is actively manipulating a botnet to try to find the perpetrators. How is unrestricted and unaccounted for destruction evidence, or creation of false evidence by manipulation, in an active crime scene helping law enforcement?

Since 2005, through Treadstone 71, I have been providing
surveillance, reconnaissance, cyber intelligence, open
source intelligence, cyber counterintelligence services in
jihadist sites against our Al-Qa’eda adversaries. Since
2005 and before, the owners of Crowdstrike have been
selling defensive technologies (McAfee).

It is one thing to monitor web sites and chat channels where public or semi-public discussion occurs and pass along information that is collected. It is entirely a different matter to attempt to subvert highly-encrypted tunneled command and control, in multi-partite malware infrastructures that span the kill chain from recon, to penetration, to lateral movement through backdoored system, through data exfiltration, and to be able to “tackle, disarm, and kill” an adversary. I mean no disrespect by this statement, but hasn’t the AV industry been failing for years to stop malware attacks (while making incredible profits along the way)? Why should this past failure now justify giving them blanket immunity to try to strike back by, as Kaspersky recently suggested in a blg post, “Carrying out mass remediation via a botnet; Using the resources of any compromised system during an investigation; Obtaining a warrant for remote system exploitation when no other alternative is available; Using the expertise and research of private companies, providing them with warrants for immunity against cybercrime laws in particular investigation” (Stefan Ortloff. “FAQ: Disabling the new Hlux/Kelihos Botnet.” , March 2012.) I would like to see how Mr. Bardin answers the questions laid out in the following paper: David Dittrich, Felix Leder, and Tillmann Werner. “A Case Study in Ethical Decision Making Regarding Remote Mitigation of Botnets.” In Proceedings of the 14th International Conference on Financial Cryptography and Data Security, FC’10, pages 216–230, Berlin, Heidelberg, 2010. Springer-Verlag.

I am confused by their claim of involve: “surveillance
and reconnaissance, counter-espionage techniques, hostile
target dismantling, and denial and deception,” on one hand
when Shawn Henry indicates that his company does not
advocate hacking into systems. “We want to help
companies do what they can, within their own firewall and
within the confines of the law, to make them more resilient
and secure,” he said. “We encourage our clients to be
proactive, not reactive, by taking actions that create confusion
and doubt for the attacker and cause them to go elsewhere,”
he added. One tactic Crowdstrike uses is to feed an
adversary fake data instead of the intellectual property or
specific data they are seeking. “Watching what an adversary
is doing, the data they seek, and the tactics they use may be
helpful in determining who is conducting the attack,” Henry
adds. Therefore, the messaging coming out of Crowdstrike
is confusing to say the least. Are you or are you not
offensive? (Best define it first). Are or are you not law
enforcement cyber? $26M investment is an awful lot of
money to have confusing messaging. In addition, I can get
indicators for free through data sharing with companies
like Raytheon.

While I agree with Mr. Bardin that CrowdStrike’s message is muddled and actions ill-defined, even after he questions whether they are/are not on the offensive he continues to suggest they should be allowed to go on the offensive. I believe the message appears muddled, in part, because of the same problem of language I addressed above. It is impossible to have a meaningful discussion about what should/should not be allowed when vague and undefined terms like, “offensive services” are used in a way that the definition can include everything from passive intelligence collection within one’s own network to some unspecified cyber analog to “tackling, subduing, and killing” a terrorist on a plane.

The four levels that Agora workshop attendees developed in 2001, and the ethical principles enumerated by Ken Himma in work I co-authored with him (David Dittrich and Kenneth E. Himma. “Active Response to Computer Intrusions.” Chapter 182 in Vol. III, Handbook of Information Security, 2005.) reflect this range and allow a more nuanced discussion of what actions are being considered and at the same time, more clearly identifying where they fall on the range of intrusiveness, aggressiveness, and risk. This level of sophistication of discussion then falls easily into comparisons of proportionality, targeting, necessity, risk/benefit assessment, mitigation of possible harms, etc. Without including these elements, it is far too early to be discussing granting exemptions from criminal statutes.

I would go so far as to suggest that no company should be allowed to take aggressive offensive actions unless and until they are fully prepared to have answers to all of the above listed elements of ethical and legal decision making at a level comparable to that embodied in legal documents filed by Microsoft in its court actions (see my blog post to understand what I mean). As I said in that blog, “The act of writing up a complaint, backing it up with declarations in support of the plaintiff’s motions, and having a federal judge review and grant plaintiff’s motions is a very clear, very thorough, and very public justification for taking bold action. This process explains of who is being harmed, how they are being harmed, what can be done to stop the harm, and why the court should grant the plaintiff’s motions. If this were a federally funded research study on developing a treatment for a disease, it is this level of detail that must be provided in order to get approval from ethics review boards. If we require such justification of doctors doing risky medical research that can harm us, why should we not have to similarly justify risky actions we take to resolve infected computers? This is the kind of standard that is warranted in order to show defensible justification for taking risky and aggressive action, before such action is initiated.”

Sounds to me that Crowdstrike is trying to
operate much like the FBI did with the
Coreflood takedown.

I would agree with this only in so far as CrowdStrike attempting to take control of a botnet. That is as far as the similarity to the Coreflood case goes. In Coreflood, the FBI was granted authority by a federal court to take control of a botnet (they did not do so unilaterally by “hacking back”), and in fact the court constrained the FBI to only issuing the “stop” command and specifically ordering they could only issue the “remove” command if/when they had obtained a signed “Authorization to Delete Coreflood from Infected Computers” from the owners of the affected computers. That form acts as a form of “informed consent” for outside cleanup, which the victim believes they are not capable of cleaning up themselves. That is as far away from unilateral remote mitigation of a botnet as hinted at by CrowdStrike’s press releases and Kaspersky’s Hlux blog.

I think Mr. Bardin simply means “uncooperative takedown of a botnet,” more like the Hlux botnet takedown and others documented in my LEET 2012 talk. (David Dittrich. So You Want to Take Over a Botnet… In LEET’12: Fifth USENIX Workshop on Large-Scale Exploits and Emergent Threats, April 2012.). I suggest reading those case studies before thinking that all botnet takedowns are the same or that they are always successful.

The information used by Crowdstrike to provide greater
security through proactive actions requires a great deal
of intelligence gathering, production, and analysis in
order to extract actionable intelligence. That actionable
intelligence is really adversary indicators. Indicators that
define and describe trends, tendencies, methods, modes,
and actions under conditions taken by the adversary. I
just attended the CISO Executive Summit in Boston put
on by Evanta. At the Summit, Jeff Brown of Raytheon
offers these indicators for free. What he offers is up to
2,000 different indicators a day collected by one of the
world’s largest companies form the US military industrial
complex.

Now Mr. Bardin is sounding reasonable, suggesting that victims have ways of sharing threat intelligence to better secure their own networks. This is the responsible first step I mentioned earlier, in line with recommendations of others (including Jody Westby).

Is it really illegal to execute a counter attack? Based
upon who’s law where?

Again, this question can be answered by studying relevant laws, which is the responsible thing to do before taking actions that may violate them. The law is what is written by legislators, interpreted by courts and juries, and varies from jurisdiction to jurisdiction (state to state, state to federal, and country to country.) The actual answer to both of his questions is, “it depends,” and to explain how it depends you must identify the targets in full before starting to shoot at them, which is far harder to do than Mr. Bardin is suggesting. I would suggest starting with reports such as Liis Vihul, Christian Czosseck, Katharina Ziolkowski, Lauri Aasmann, Ivo Ivanov, and Sebastian Bru ̈ggemann. “Legal Implications of Countering Botnets: Joint report from the NATO Cooperative Cyber Defence Centre of Excellence and the European Network and Information Security Agency (ENISA)” , 2012 and Alana Maurushat. “Ethical Hacking: A Report for the National Cyber Security Division of Public Safety Canada,” 2012. The former cites the Supreme Court of Estonia’s holding that, “the limits of self-defence are exceeded in a case where the person fighting a danger (botnet) is perfectly aware of (direct intent) the fact that his technique and means exceed the threat of the particular danger (or even intends to respond with excessive measures – deliberate intent), and that the damage he is creating is excessive. Thus, the principle of proportionality has to be followed strictly” It also discusses the principle of Necessity in relation to legal justifications for countering botnets citing the German Civil Code § 34 (see p. 42). The latter (while in many ways also not very well researched, and equally vague about use of the term “ethical hacking”) at least shares some of the same recommendation I make in this response, specifically “licensing of security experts” and ensuring that “these activities should not be contracted out to security firms unless they are closely scrutinized and held accountable in some form of safeguard or compliance mechanism.”

Mr. Bardin is not exhibiting sufficient understanding of laws and how the legal system works to either criticize or dismiss them. Any CISO who accepts his arguments and goes on the offensive needs to recognize this, and to understand a fact brought to my attention by someone in federal law enforcement in conversation recently. Let’s say a CISO in the U.S. chooses to go on the offensive, disrupts the systems of another company in a different country in violation of one of the laws cited above. Should that CISO now travel to said country, they could be arrested, detained, tried in court and possibly even serve jail time. This is not hypothetical, and applies not only to private sector individuals but also law enforcement agents. In the “Invita” case (United States v. Gorshkov in 2004), suspected computer intruders in Russia were lured to come to the U.S. and be interviewed by a “company” who was interested in paying for their services, which was in fact the FBI. During a demonstration of their hacking prowess, the FBI captured passwords the suspects used when they logged into their systems in Russia. After arresting the suspects, the FBI then used those credentials to log in and download hundreds of megabytes of files containing evidence of multiple crimes. The Russian government in turn issued a warrant for the arrest of the FBI agent who did this, citing violation of Russian computer crime laws. The agent can no longer travel to Russia (or any country with an arrest and extradition treaty with Russia) without risking arrest, transfer to Russia, trial, and potential imprisonment. The same would hold for a private citizen, including the CISO who authorized “hacking back.” Anyone who chooses to violate the law on principle, in order to achieve a goal they believe to be justifiable, must be prepared to answer in court for that decision and had better be prepared to provide that justification and pay whatever price is imposed by the legal system.

As my information continues to flow at record
levels and pace, should I stand idly by and wait
for law enforcement to catch up? I think not.

No. Of course you should not sit idle and wait for law enforcement. Nobody is suggesting that and this is simply a false argument. Should one first be a good victim, collect evidence of crimes within one’s own property, and report it? Yes. Is this kind of forensics hard and costly? Yes. But as someone who teaches this, Mr. Bardin should know how important it is to do a good job of forensic analysis and reporting. Unless you want to hand over passwords to all your systems and let the FBI have the run of your network, it is a corporate victim’s responsibility to preserve and collect evidence, report it in a timely manner to law enforcement, and make sure their job is easy (not hard) to correlate cases and be able to adequately prioritize investigations. This is the root of data sharing discussions, as poor data sharing results in the old computer science adage, “Garbage in; Garbage out.” It is foolishness to think that safely counter-attacking is any less hard, or less expensive. In fact, to do it properly, safely, and in a manner that can be defended on ethical and legal grounds, it is likely more expensive. None of this is considered in Mr. Bardin’s proposed “solution” to the problem of computer attacks.

Response – including high-quality host and network forensics – is costly because it is hard, and it is hard because it is not in the interest of the computer security industry players to make their tools work and play well together. In fact, they integrate very poorly, and nearly everyone cuts/pastes information manually from web pages, email messages, and text or PDF reports. The capabilities to perform distributed, collaborative, response using semi- or fully-automated data transfer across security devices and systems have not grown nearly as fast as attackers have built complex distributed attack architectures. If I were given $26M, I would make available in 3-5 years a suite of tools that every internet-connected site could use to facilitate collaborative response and to also foster education and ongoing training to increase the capacity of all sites to respond to attacks. Such an effort has not, to my knowledge, been attempted to date and is part of the problem that underlies the calls to “go on the offensive.” I published a paper in 2008 laying out part of this idea. (David Dittrich. “On Developing Tomorrow’s ‘Cyber Warriors’.” In Proceedings of the 12th Colloquium for Information Systems Security Education, June 2008.)

But let’s engage in some of this cyber/physical analogizing for a moment. Would Mr. Bardin claim a right to chase down and shoot any criminal who steals a limousine from his company’s motor vehicle pool? Or someone who steals a laptop from the CEO’s car in the parking lot? Perhaps if the company is in Texas, but otherwise, this never happens and nobody is calling for that right. If it is not acceptable to take the law into one’s own hands for certain crimes against property in the physical world, why would one then believe they have the right to not report a cyber crime to law enforcement and instead attack back or take punishment into their own hands? That is ludicrous, but seems to be exactly what Mr. Bardin is calling for here.

Could there be collateral damage? Certainly. Could laws
be broken? Certainly. However, what laws are those and
who is going to prove them? If I take action against my
adversaries, and it is on their virtual soil, am I really
concerned? We may not have MLATs with these countries.
And even if we do, it does not mean that the adversaries
are not wired into the foreign intelligence services of that
country.

So at least Mr. Bardin admits there is risk, but now seems to be suggesting that it is acceptable for private citizens to counter attack against nation states? Or to ignore the laws of some country because it is more convenient to strike back at a system believed to be owned by someone who has broken into your network and not an innocent third party? If it is a tort to trespass or interfere with a business process, and your action to “defend” your network is by trespassing and attacking back in a way that disrupt some other innocent victim’s business, why should the counter-attacker be immune from civil action, or from national criminal penalties for unauthorized access or modification to protected computers? And how exactly is one to know what is/isn’t your “adversary’s virtual soil?” It is impossible to map an IP address to a physical place in the 3-D geometry of the physical world, and the use of “stepping stones” and proxies means you cannot really be certain of the end-point of a given connection in all cases. Sure, there may be a vulnerability in an adversary’s system that could provide intelligence as to their precise location, but that is not guaranteed and takes very advanced capabilities to achieve. This isn’t like a lab in a classroom exercise on an isolated teaching network.

Additionally, Mr. Bardin brings incorrectly raises the issue of having an “MLAT” (mutual legal assistance treaties) in the context of private actors violating computer crime statues by “offensive” actions. MLATs deal with law-enforcement to law-enforcement interactions across boarders and have nothing to do with private sector actors engaged in forensic data collection or “private investigation” as Mr. Bardin is describing the situation. This is completely orthogonal to allowing private sector “attack back.”

Lastly, If the threat model is intelligence service penetration of law enforcement by adversaries, is Mr. Bardin suggesting ALL law enforcement and intelligence activities be abandoned in favor of the private sector? I seriously doubt it. (Another argument that is not helpful to the discussion.)

When counter attacking or openly attacking an
adversary, it is going to be just as difficult for the
adversary to identify me (a collective me) as it is
for me to identify them if not more difficult.

Again, Mr. Bardin is saying something that my experience leads me to conclude is a wild exaggeration, not to mention contradicting his statement elsewhere that we are, “virtually standing right next to them”. If you are striking back from your own IP address space, to a system and adversary controls, it is trivial for them to identify it is you counter-attacking. Look at what happened to the Mariposa Working Group and you can see what happens when you attempt to fight an adversary and they attack back with 900Mbps of distributed denial of service (DDoS) attack flooding against those who are trying to wrest control of a botnet C&C. If you mask a counter-attack by using another entity’s network address space, do you not expose them to potential counter-counter-attack in retaliation? How will you then justify the harm you just transferred to an innocent third party caused by your actions to conceal yourself? (This is why the law of war requires combatants be uniformed with the flag of their own country, not to wear the uniform of another country or pretend to be an uninvolved civilian non-combatant.)

If an attacker has control of computers within your network and are able to monitor your communications and see any discussion of counter-attack planning or execution, they will most certainly know. An intrusion into the UW Medical Center in 2001 lasted for months precisely because the adversary was reading email of the incident responders. The same is true of the Stakkato incident in 2004 (Leif Nixon. “The Stakkato Intrusions,” 2006.), where the attacker read defenders’ communications. Computer criminals arrested and prosecuted in the Pacific Northwest were using stolen passwords to monitor email and FAX transmissions of victims businesses giving them the ability to destroy records and evade detection or countermeasures. (See paragraphs 50 - 52 in the indictment UNITED STATES v. JOSHUAH ALLEN WITT, BRAD EUGENE LOWE, and JOHN EARL GRIFFIN).

To believe that an adversary who is able to bypass defenses and get into your system has no capacity to monitor your communications and be aware of your counter-strike, is naive in the extreme. How do you think most sophisticated targeted attacks start out? (If you don’t know the answer, you have just lost credibility points.) What is true is that it is going to be far easier for an innocent third party whose systems are disrupted by a botched counter-attack to identify the “good guys” and haul them into civil court for tortious interference with business process than it will be to find and prosecute the bad guy. The first time a Fortune 1000 company fires back and damages the systems of a Fortune 10 company, there will be massive headlines when the law suits are filed in federal court.

For years we have been watching their methods,
identifying and tracking their tools and tendencies to
the point where we (in our efforts to counter attack) look
and smell just like our enemies. They do not even know
we are virtually standing right next to them. They believe
it is their brother in arms. The usage of sock puppets,
anonymity, methods of misinformation, disinformation,
cyber psyops, cyber sabotage and espionage greatly
diminishes their capabilities and forces the adversary to
invest defensive measures. It forces them to defend their
environments. When doing this, they are certainly not
attacking us. In fact, I teach these methods at Utica
College in their Masters Program on Cybersecurity:
Intelligence and Forensics as well as through
Treadstone 71 and Secure Ninja.”

This is not a graduate classroom and seems so far over the top that I will let Sun Tzu respond to this paragraph:

“Appear weak when you are strong, and strong
when you are weak.”

“If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If you
know yourself but not the enemy, for every victory
gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb
in every battle.”

“If ignorant both of your enemy and yourself,
you are certain to be in peril.”

Any company that cannot discover an intrusion for a year sufficiently knows neither themselves, nor their enemy, and is not in a strong position to win a battle by going on the offensive against them. If they chose to hire a corporation to go on the offensive for them, they not only take on the responsibility for ensuring the justification for self-defense is thorough (as described elsewhere in this response) and that they have first lived up to their responsibility to adequately have defended their property and have truly exhausted all other options before acting in ways that violate the rights of others (be they innocent or suspected of being guilty).

We must look at our current cyber legal and
military environment as it relates to defending
our virtual homeland. It is highly immature with
limited vision and strategic foresight for creating
a cyber National Guard and cyber police force.
In the meantime, we hemorrhage data.

I am glad Mr. Bardin brings up the military, as it operates under well established international “laws of war” and operates under tightly defined rules of engagement that conform with both international laws an treaties such as the Geneva Convention (specifically Article 52), the United Nations Charter (specifically Article 2(1) [refrain from the threat or use of force] and Article 51 [Right of self-defense is not abridged]), to name a few. In fact, John Brennan’s April 30, 2012 speech on “The Ethics and Efficacy of the President’s Counterterrorism Policy” at the Woodrow Wilson Center describes not only the relevant laws and legal authorities under which the Obama Administration makes decisions about the use of military force, but specifically cites the principles of necessity, distinction (specific targeting of military objectives and avoidance of civilians), proportionality, and balancing of national security benefits against costs to our nation in other ways (e.g., military expenditures, damage to international relations, and erosion of our reputation for being a nation that has a “moral and strategic interest in binding ourselves to certain rules of conduct.”) Why should we expect any less from the U.S. private sector when it asserts a right to engage in actions that impact computer systems in other nations, because their counterpart corporations in other countries may do the same thing back at stepping stones here and impact the integrity or availability of computers/networks in this country?

We are living in a world much like the times of the
French and Indian War (Seven Years War) where there
are protected locations such as Albany, Fort Edward,
and Fort William Henry, all secured by military means
while the rest of the territory is left to fend for itself.
We are much like the frontiersmen and women depicted
in the movie “Last of the Mohicans,” where we have
carved out a virtual living for ourselves in potentially
hostile area. We live amongst the enemy and understand
their methods and indicators. We know the enemy as
we know ourselves and in doing so, we are able to fight
them on the same level, with the same tactics that they
use. We do so to protect ourselves until the proper
authorities become organized and move to defend us.

I beg to differ with Mr. Bardin’s analogies to times/places past. This isn’t like the French and Indian Wars, where we live in military garrison communities. Is he suggesting that the military is impenetrable and the Fortune 100 are isolated with no protection? Nor are we like the frontiersmen who lived in a harsh and sparse landscape where there was no national law enforcement and all law enforcement involved a town Marshall and a volunteer posse. It may be closer to the latter years of the 1800s when the Pinkerton Agency was hired by railways and banks to guard valuables transported by trains between local jurisdictions where Marshall’s would take so long to summon a posse to chase after robbers on horses that they would have hours of head start and would cross legal boundaries knowing law enforcement could not follow them. But even that analogy does not hold in a world where backbone providers can monitor network flows, enterprises should be able to control traffic across their own network borders and within their own networks, and with combined law enforcement and intelligence task forces that cooperate with their equivalents in other nations. Again, the problem is more of inadequate host and network forensic capability, inadequate visibility and monitoring of what goes on within a company’s own network, and inadequate reporting of computer crimes to law enforcement authorities, not a lack of exemptions from computer crime laws allowing executives to call for “hacking back.”

And if we really do understand the enemy and their indicators as well as Mr. Bardin suggests, why is that understanding not sufficient to prevent them from compromising systems, transitioning laterally through vulnerable system to vulnerable system, and to exfiltrate gigabytes of data across an enterprise’s own network perimeter without it seeing and stopping it? If corporations don’t invest the resources to protect their own intellectual property and prevent those extremely valuable assets from being stolen, how can they then use that same asset value as the basis for a cost/benefit calculation about taking aggressive action that could cost innocent third parties who are caught in the cross-fire? There is another legal principle that Mr. Bardin does not mention that

_The legal doctrine of self-defense is fine in the
physical world but it does not apply in the virtual
world. At least not yet. We are still on that
proverbial frontier. I am sure that I will not stand
idly by as my virtual cabin and settlement burns
to the ground.

There is positive outcome when attacking your
cyber adversaries. It disrupts their command and
control. If forces them off their mission. If forces
the adversary to invest in measures they have
never invested in. It forces a ripple in their activities
that can then be tracked through primary, secondary
and tertiary actions. Standard methods in the
intelligence community._

That is not the case with advanced attackers, just “script kiddies.” It is nothing to brag about attacking a teenager, and it is foolish to think that being the best flag football player in your league makes you capable of going up against an NFL defensive line and scoring a touchdown. Nobody with serious technical expertise in this field will buy this claim. And how do we know how much a counter-attack costs them and sets them back? There is very little good economics data about the costs of cyber attacks, let alone the cost of counter-attacking. The Hlux botnet was sinkholed earlier this year and was back up and running in a matter of hours. Did that really throw them “off their game?” I need to see verifiable facts before I will accept conjecture as the proof for an argument like this.

When it is mentioned that companies may suffer
reputational issues, stock price drops or financial
loses I can only state that this is exactly what has
been happening for years as companies lose data
and suffer all the above. I would be more inclined
to invest in a company that protects my data
through any means as opposed to one that
continues to lose it.

Aren’t these stock drops due more to loss of confidence in corporations to protect our data, not because they are not attacking back? What evidence is there that customers are more interested in companies attacking back than in them making better decisions about resource allocation for defenses and secure engineering practices? Which direction will the stock price go when an technically non-competent CEO takes the advice of an overly confident CISO and ends up disrupting a competitor’s systems, or a foreign country’s government systems causing a diplomatic crisis? I doubt it will be an up-tick.

I ask the question: Is it more risky to continue
the same methods of cyber defense (stand in
the ring with multiple opponents just bobbing and
weaving never throwing a punch) or more risky
to start fighting back with jabs, combinations,
head and body blows?

This is a false choice (do nothing vs. fight back), as well as an inappropriate analogy (use of force in defense of persons vs. use of force in defense of property, a common mistake by those who have not studied this topic and are relying only on emotion as a basis for argument). It is not a matter of continuing as we are, being compromised left and right, or going on the offensive. Why not change the way resources are allocated to perform better forensics and change policies to counter the attack methods being used? Social engineering works because users are not properly trained to recognize attacks. It works because business leaders cut costs by reducing the workforce who are tasked with defending the networks, by paying low wages and not being able to attract highly-skilled security operations staff, system administrators, and skilled programmers. Resources are allocated on security devices that are not designed to work together, requiring manual processes with slick GUIs and cutting/pasting indicators instead of transmitting them in machine parseable formats. Why are customers not demanding security device vendors work and play better together? Law enforcement is hampered because victims chose to not report computer crimes, partly due to fear of competitive disadvantage or loss of customer confidence (which is lost anyway when breaches eventually become public.) We are losing the defensive battle because we are not coordinated, don’t practice enough, don’t spend money wisely, and don’t collaborate very well with each other, let alone with law enforcement. The latter situation is getting better, thanks to efforts like Microsoft’s Digital Crimes Consortium and groups like the Conficker Working Group, OPSEC Trust, etc., but we still have a long way to go. We need to solve these problems before it is reasonable to argue the only solution left is to start shooting back (i.e., this blog fails to satisfy the Necessity and Evidenciary Principles).

But to directly answer Mr. Bardin’s question, yes, it is more risky to allow unfettered and unaccountable counter-attack. Mr. Bardin simply does not seem to know why it is more risky, nor how to craft policy or law in such a way to ensure trust by the public. Until he does, I caution anyone who hasn’t studied this topic carefully to question his arguments rather than buy into the fear/uncertainty/doubt and appeals to emotion.

Are the current administrations cyber actions
really reckless? The US has been getting hit
with cyber attacks and malware for years targeting
our financial systems, military secrets and consumer
information. Isn’t it time we used our capabilities to
attack our adversaries in a virtual mode? Doesn’t it
save more American lives if we virtually sabotage
Iranian centrifuges and disrupt their desires at nuclear
weaponry as opposed to bombing and or invading? Isn’t
it much cheaper to execute such activities as opposed
to bankrupting the country through another war?
Weren’t the physical wars in Iraq and Afghanistan enough
to show that if we have the virtual means to extend
negotiations to drive an outcome, we should use them?

With all due respect, this is a complete “Red Herring.” There is no equivalence between a sovereign government using constitutionally derived authority in matters of national defense and a corporation who failed to adequately secure its intellectual property deciding it is justified in getting retribution by striking back. The issue of “saving lives” conflates and confuses the use of force to protect life with the use of force to protect property, and no company in the world is going to take it upon themselves to unilaterally destroy the nuclear facilities of a sovereign government. This argument is ludicrous and completely off-topic.

But even if the argument was framed in terms of defending a network from exfiltration of intellectual property vs. attacking back to take out the thief, then the answer is no, it is not cheaper to attack than defend. I recently presented a paper on the “success” of recent botnet takedown actions, showing that those that attempted to do it on the cheap had little success. The ones with the least success were the ones done on the cheap, and those with a greater degree of success used some of the top legal talent in the world.

Do we really think that establishing a convention
on cyber crime is going to stop our adversaries?
They do not recognize our virtual borders or virtual
sovereignty as it is. Why would they recognize a
convention on cybercrime? All this does is force
offensive cyber forces to establish an unwieldy ‘rules
of engagement’ that ties the hands of those who can
execute offensive cyber actions. If you believe
otherwise I recommend a read of “Unrestricted
Warfare.” http://www.c4i.org/unrestricted.pdf The
rodeo started years ago (Titan Rain, Moonlight
Maze and Operation Aurora to name a few). The
problem is that we are in the ring with several bulls
at one time. As a former CISO and current cyber
security and intelligence consultant, I can tell you
that we need to become bulls ourselves and flood
the ring with our own.

Mr. Bardin either misunderstands (or is misrepresenting) one of the points that Jody and I are both making, which is that efforts to improve preservation, communication, and reporting to law enforcement of computer crimes, along with enhanced legal cooperation across borders, are the first effort that needs full support of the Fortune 100 victims of computer intrusions. Jody is not suggesting that the Convention on Cybercrime will convince any criminal to stop breaking the law. Again, a false argument. The first priority should be discussing how to ensure they properly allocate funds to defend their intellectual property, both for their corporate interests and to live up to their obligations to secure national security information, and to report crimes to federal law enforcement in a meaningful and timely manner, not granting companies blanket immunity from computer crime statutes in order to “hack back” when hacked. Go all the way back to President Clinton’s second term and his Council on Critical Infrastructure Protection’s “Legal Foundations” study and you will see calls for acknowledging victims’ responsibility, for better data sharing, and yes, even for some controlled private sector cooperation and coordination with law enforcement. (E.g., President’s Commission on Critical Infrastructure Protection. Studies and Conclusions, A “Legal Foundations” Study – Report 1 of 12. 1997, and Stevan D. Mitchell and Elizabeth A. Banker. “Private Intrusion Response.” Harvard Journal of Law & Technology, 11:699, 1998.)

Do not get me wrong. I am not opposed to engaging in the actions along the Active Response Continuum, but I do not believe the security industry is mature enough yet to be able to do it properly and safely. I have been trying to show how I believe it can be done for over a decade now, based on studying the issues and others’ scholarship of the topic, publishing my findings, and participating in/leading discussions on the subject. How about we start with discussing Mitchell and Banker’s suggestions before rushing to weaken computer crime statutes and let loose anyone who wants to “hack back” when they feel like it?

The courses of action that Jody recommends are
admirable and should be followed but these will
take years. In the meantime, my data flows. There
needs to be parallel offensive action to protect our
assets while we wait for those courses of action to
take effect. We can ill afford to stand idly by while
our intellectual property, our most sensitive
information and our wealth is pilfered on a daily
basis.

Since the methods that Jody Westby is recommending were being promoted as far back as 1998, I would like to hear Mr. Bardin’s opinion as a CISO as to why those recommendations have failed to date to be implemented? I think he has some responsibility to explain why he believes it is now more important to skip passed those problems and jump to allowing going on the offese, as he is championing.

Part of the reason it is taking years for law enforcement to deal with a complex legal landscape at the international level is because law enforcement is difficult in a complex international legal landscape. The same is true for drug running, arms dealing, human trafficking, etc. Do we give up on law enforcement in those cases and take the law into our own hands? No. If you are not able to keep your intellectual property from leaving your facility, let’s talk about regulation of the decisions that failed before we talk about granting special legal exemptions allowing offensive actions. And when we do start to have meaningful discussion of how to change laws, let’s start with defining ethical standards by which we justify the proposed actions to be taken on the offensive side and include proportionality, targeting, necessity, declared outcomes, specification of weapons used, requirements for training and after-action reporting to law enforcement, oversight of all of the above, and penalties for when some hot-head CISO makes the wrong call and causes far more damage than is justified by harm to their business interests.

I participated in a workshop held at the Munk School in Toronto, Canada, on the ethics of computer security research and response (Ronald Deibert and Masashi Crete-Nishihata. “Blurred boundaries: Probing the ethics of cyberspace research.” Review of Policy Research, 28(5):531–537, 2011.) This report further details the issues Mr. Bardin is only superficially touching upon. At this workshop, a very thoughtful Canadian lawyer suggested that (and I’m paraphrasing here), “We need to imagine the internet and the world in which we want to live, and work to create policies that ensure that our vision is realized.” I do not want to live with an internet where rash decisions by non-technical executives based on narrow self-interest and rage, or individual researchers who believe they must “save the world” by their own actions, dictate when and how computer systems that may affect my life are disrupted in the name of “self-defense.”

I believe there is a right way to engage in activities higher up the Active Response Continuum, but to do so requires a lot of hard work. Mr. Bardin and others who’s arguments go little farther than inappropriate analogies and appeals to emotion are not convincing me they can use such powers responsibly. That has to change and companies like CrowdStrike need people who are capable of sophisticated and nuanced thinking about acting along the Active Response Continuum and communicating to the public in a way that engenders trust in taking risky actions. As a talented and trusted computer security research colleague said to me recently, “This is an intellectually interesting discussion, but you and I have had this same discussion over and over again for years and nothing changes.” We, as the computer security research and operations community, need to engage in a wider, more nuanced, and more sophisticated discussion of this topic. We, as a society, need to demand that we be presented with a balanced approach of protection, detection, and reaction, all in appropriately focused ways with appropriate oversight and accountability. This discussion and path forward should be based more on scholarship and less on brinksmanship, or we will be creating an internet that is far less useful or trustworthy than the one we have today.

UPDATE (13 Dec 2012) I was referred by a reader to this Twitter conversation, which leads to an LA Times article “Civilian ‘hacktivists’ fight terrorists online.” This article gives some insight into what Mr. Bardin means when he calls for “going on the offense.” Patriotism can be a wonderful thing, however it can also be misused to justify wrongs. I have to question how using false identities to enter jihadist web sites to social engineer personally identifiable information from others in order to turn it over to government agents constitutes the form of “self-defense” Mr. Bardin says is necessary to stop “data flow[ing]” out of his network? Mr. Bardin’s activities in this article and referenced in his post do not seem to be discriminatory, targeted, proportional, necessary, or in any way effective, in countering the type of data breach he cites in his role as CISO. I have to wonder now what ethics training is included in the university courses he mentions and whether they are learning by his example?