No National 'Stand Your Cyberground' Law Please*

By William McBorrough, MSIA, CISSP, CISA, CRISC, CEH

Patrick Lin, who is Assistant Professor and Director of Ethics and Emerging Science Group at

California Polytechnic State University, penned a thought provoking piece titled 'Stand Your

Cybergound' Law: A Novel Proposal for Digital Security in The Atlantic magazine in which he

offers up a proposal allowing private industry to conduct cyber retaliation against foreign

attackers. He rightly points out that a majority of cyber attacks against the United States or its

interests are against private companies. It was reported just this week that the Department of

Homeland Security has sent out several alerts warning of a "gas pipeline sector cyber intrusion

campaign" against multiple companies, which began earlier this year and is still under way. The

face that companies are expected to fend for themselves is huge vulnerability in our national cyber

defense. The Department of Defense protects military networks. The Department of Homeland

Security defends other federal government networks. And everyone else is basically left to stand

or fall on its own. It is the case that there have been increased collaboration between the public

and private sectors in recent years. And the policy makers are looking at additional means for

increased information sharing and collaboration. The proposed Cyber Intelligence Sharing and

Protection Act (CISPA) is one such effort. But if private company is under attack, there is no

calvary coming. Couple this with the fact that approximately 85% of the US critical infrastructure

is owned and operated by private industry. It would take more that information sharing to

adequately implement an effective national cyber defense. Our current cyber defense is mostly

dependent on private for-profit companies making business decisions about how much to spend

on their security overhead. That is certainly a recipe for disaster. It is imperative that government,

business and academia join forces and develop better options for addressing this issue.

In the article, Lin writes, " we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants."

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a

vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable

the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully

than others. Some with greater effort than others. There are no legal or ethical questions there

except a much broader sense . If gas pipelines are considered critical national infrastructure and

these pipelines are owned and operated by private companies, should/can the government do

more to defend them from attack? More than information sharing and increased collaboration,

that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the

government launching counter cyber attacks against foreign adversaries on behalf of private

companies. Lin's proposal would create a legal framework that would allow the

companies themselves to retaliate. He seems to find inspiration in the much talked about " stand

your ground" laws such as the one in Florida that came to national attention as a it is reportedly

invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood

watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal

problematic on three fronts. From the purely cyber security perpective ,from a business

perspective, and as a matter of national security policy. I'll reiterate, in fairness, that Lin is not

necessarily endorsing this as a solution, but contributing to a much needed discussion on nation

cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of

the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin

makes the point that " There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software".

In other words, you allowed your systems to by hacked, so you deserve it if caught in a

counter attack. I certainly agree that most reported successful attacks or breaches are a

result of some degree of negligence. Most security professionals would agree that no

system is immune to attack. We are trained to practice due diligence in making

reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks

all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the

attack, containing the damage, remediating effects of attack and gathering evidence,

returning systems to normal and some follow-up. Lin's proposal would require additional

steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes

allowing companies to present this evidence to some governmental body to review and

sanction retaliation. Companies will then have to plan and execute the counter attack.

Few companies have in-house expertise to do this. Few business managers will be willing

to fund such activities. Whats the return? You get hacked from a $500 laptop and you

spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical

infrastructure have been attributed to foreign government affiliated networks. Would it

really be wise to license private companies to attack these networks? I would think

not. Most of these folks can't even patch their servers or encrypt their sensitive data. The

last think we need is an international incident started by some system administrator at

some SMB. I mean a government allowing private entities to conduct cyber attacks

against a foreign nation with a wink and a nod is not exactly a novel concept. Google

'Russia Georgia Cyberwar".

I commend Dr. Lin for his contribution to this very important discussion. I don't necessarily agree

with the proposed approach but as a nation, we really need to come to terms with how best to

improve our national cyber defense as we are in dire straits.

* This article is cross-posted from http://infosec3t.com/2012/05/10/no-national-stand-your-cyberground-law-please

About: William McBorrough, MSIA, CISSP, CISA, CRISC, CEH: William J McBorrough is a Security Expert with many years of success Managing, Designing, and Implementing medium and large enterprise Physical and Information Technology Security Solutions. His experience spans the spectrum from small e-commerce start-ups to multi-campus state and federal agencies to multi-state financial sector organizations. He is also on the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he conducts research and teach graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He holds a Bachelors of Science in Computing Engineering with a concentration in digital networks and a Masters of Science in Information Security and Assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified

in Risk Information System Control (CRISC), and Certified Ethical Hacker (CEH).He is well versed in personnel, systems and network security risk management. His core competancies include Developing cost effective solutions to enable mission assurance in the following areas: Enterprise Risk Management, IT Governance, Security Organization Development, Information Security and Assurance Website: http://www.linkedin.com/in/mcborrough