Cyber laws may need tweaking

Share this article:
Cyber laws may need tweaking
Cyber laws may need tweaking

Law in the United States has not kept pace with the tsunami of cyber attacks that have overwhelmed corporations and the government. It's become such a frustrating problem that information security start-ups, like CrowdStrike, as well as established ones like Mandiant, are pushing for a “strike-back” capability, something that the Computer Fraud and Abuse Act (CFAA) prohibits. Even if a company takes a network counter-attack off the table and just wants to encrypt its own data which it finds stored on another computer, the CFAA makes even that common-sense action illegal. I don't think that will be the case for much longer. In fact, I predict that 2013 will be the year when the concept of “active defense” will finally become a reality.

It's been a year since the directors of the National Security Agency and the Defense Advanced Research Projects Agency both acknowledged that the U.S. government has been unable to protect its own networks and asked for help from private industry. Earlier this year, two high-profile FBI officials and an Air Force general left government service to join CrowdStrike, a decision driven in part out of the same frustration. Then there was the provocative and somewhat disturbing speech given by Secretary of Defense Leon Panetta in October which warned foreign adversaries that we had significantly improved our attribution capabilities (although there's little evidence to support that claim) and that we would respond militarily to anyone who launched a “destructive” cyber attack against us.

The drive by private industry to be more aggressive in defending corporate networks and the “signalling” by Panetta that we will respond to destructive cyber attacks are both examples of a military strategy known as “active defense.” However, while computer attacks between nation-states may be allowable under certain conditions, such as a presidential finding under Title 50 for a cyber covert action or under the Law of Armed Conflict, there is no such leeway for private corporations under Title 18, Section 1030 – and there's the rub.

A legal debate has already started. On Oct. 13, Stewart Baker, an attorney and former assistant secretary for policy at the U.S. Department of Homeland Security, wrote a blog post where he posed the question: “Does the Computer Fraud and Abuse Act foreclose counterhacking?” In his opinion, the ambiguity of the law leaves some wiggle room for defensive actions. Scott Glick, senior counsel of the national security division at the U.S. Department of Justice, wrote a paper in which he explored other possible scenarios which would allow more aggressive defensive tactics to be brought to bear against attacks in cyberspace.

Glick argued that existing law, which regulates the need for warrants and wiretaps in compliance with the Fourth Amendment protection against unreasonable searches and seizures, isn't the most efficient way of defending against cyber attacks. A different “lens” is called for in the same way that the Fourth Amendment has been adjusted when viewed through a “national security lens” and a “criminal investigatory lens,” he wrote. So the task ahead is to find suitable parallels between these established rules and the present-day realities of a digitally connected world – i.e., a “cyber lens” through which existing legal constraints can be viewed and adapted.

Jeffrey Carr is the founder and CEO of Taia Global. He is producing a conference, Suits and Spooks, exploring this issue. Speakers include executives from CrowdStrike, Mandiant and Microsoft, as well as Stewart Baker, representatives from INTERPOL and other experts.
Share this article:

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.