Law in the United States has not kept pace with the tsunami of cyber attacks that have overwhelmed corporations and the government. It's become such a frustrating problem that information security start-ups, like CrowdStrike, as well as established ones like Mandiant, are pushing for a “strike-back” capability, something that the Computer Fraud and Abuse Act (CFAA) prohibits. Even if a company takes a network counter-attack off the table and just wants to encrypt its own data which it finds stored on another computer, the CFAA makes even that common-sense action illegal. I don't think that will be the case for much longer. In fact, I predict that 2013 will be the year when the concept of “active defense” will finally become a reality.
It's been a year since the directors of the National Security Agency and the Defense Advanced Research Projects Agency both acknowledged that the U.S. government has been unable to protect its own networks and asked for help from private industry. Earlier this year, two high-profile FBI officials and an Air Force general left government service to join CrowdStrike, a decision driven in part out of the same frustration. Then there was the provocative and somewhat disturbing speech given by Secretary of Defense Leon Panetta in October which warned foreign adversaries that we had significantly improved our attribution capabilities (although there's little evidence to support that claim) and that we would respond militarily to anyone who launched a “destructive” cyber attack against us.
The drive by private industry to be more aggressive in defending corporate networks and the “signalling” by Panetta that we will respond to destructive cyber attacks are both examples of a military strategy known as “active defense.” However, while computer attacks between nation-states may be allowable under certain conditions, such as a presidential finding under Title 50 for a cyber covert action or under the Law of Armed Conflict, there is no such leeway for private corporations under Title 18, Section 1030 – and there's the rub.
A legal debate has already started. On Oct. 13, Stewart Baker, an attorney and former assistant secretary for policy at the U.S. Department of Homeland Security, wrote a blog post where he posed the question: “Does the Computer Fraud and Abuse Act foreclose counterhacking?” In his opinion, the ambiguity of the law leaves some wiggle room for defensive actions. Scott Glick, senior counsel of the national security division at the U.S. Department of Justice, wrote a paper in which he explored other possible scenarios which would allow more aggressive defensive tactics to be brought to bear against attacks in cyberspace.
Glick argued that existing law, which regulates the need for warrants and wiretaps in compliance with the Fourth Amendment protection against unreasonable searches and seizures, isn't the most efficient way of defending against cyber attacks. A different “lens” is called for in the same way that the Fourth Amendment has been adjusted when viewed through a “national security lens” and a “criminal investigatory lens,” he wrote. So the task ahead is to find suitable parallels between these established rules and the present-day realities of a digitally connected world – i.e., a “cyber lens” through which existing legal constraints can be viewed and adapted.