On the Right to Bear Cyber Arms

Tuesday, July 10, 2012

J. Oquendo


In all modern and historic societies, individuals have always had some form of right to defend themselves [1].

In the United States, we the second amendment in the Constitution, "the right to bear arms." [2]

Historically, when an aggressor seeks to injure or harm us, no matter what the background of the individual, race, religion, or gender, the victim, can defend themselves. So how does this apply to "cyber" or Internet based attacks you ask, I will try to give a good argument.

Traditional Business 101

As a business owner, I sell widgets. The business consists of processing, and selling widgets to clients who stop in the store and pay for them.The business earns N amount of dollars which support myself and my staff. Without my business, I would find it difficult to survive in today's economy. My staff also relies on earnings to feed their family and pay bills.

During the course of business, I realize that society can be rough. I set out to legally obtain a firearm permit to protect myself, my workers and the business. In the event of a robbery, I am authorized to defend myself, my workers and my business. Regardless of someone pointing a gun in my face, I have the right to defend myself however, I can also call the authorities.

In the later, where no gun is visible, I can hit an alarm and hope the authorities respond fast enough to catch the criminal and let him deal with the long arm of the law.

Modern Online Business 101

As a business owner, I sell widgets online. Rather than pay excess fees on rents and utilities, I take my business online and allow my workers to telecommute. Customers of mine shop from all over the world. There is no definitive "long arm of the law."

In fact, unless my business is hacked to the tune of millions of dollars, the likelihood of anyone taking a look at what occurred, and even finding the culprits of the crime is low. Anyone who has ever had to deal with a breach can re-iterate that statement: "The likelihood of someone either even bothering to take a look at what happened and even finding the culprit is low."

Reality 101

Working at a managed service provider, clients of the MSP has their PBX systems compromised. The instances of those compromises cost the victims anywhere between $5,000.00 to over $100,000.00 USD. On each incident, relevant information was meticulously obtained, doubled checked, analyzed and reported to a law enforcement agency. The biggest problem beforehand was finding the needle in the haystack.

Unlike traditional crimes, where a criminal is in some shape, form or fashion present and or visible, online crimes are more difficult to trace. An aggressor can appear to be from locations where they have never been. This is the first biggest headache that most law enforcement agents will deal with, and the second is, jurisdictional woes.

Imagine your infrastructure is under attack from a hacker who appears to be coming from an IP address in say, Germany. There is no mechanism to be able to definitively state: "The attacker is German!" This is because an attacker in another country could have compromised a German machine and used that machine as a proxy to attack your business. This scenario occurs quite frequently. Let us assume that the attacker is indeed German for a moment what follows is yet another example of why Internet laws fail.

Right to Bear Arms

Generous Attack Timeline - Six Days

Zero Hour: After discovering an attack coming from Germany, incident responders document and via forensics, begin gathering evidence. The CSO/CTO/CISO contact authorities.

Day Two Authorities interview CSO/CTO/CISO and responders to determine what occurred. They take evidence so their agency can examine what occurred. Agents determine a crime has occurred.

Day Two: Authorities send the evidence to their computer examiners so that those computer investigators can piece together what occurred in order to get a subpoena. Authorities do not want to waste time, so they drive the evidence to the computer agents.

Day Three: Investigators at the Computer Crimes lab are NOT overwhelmed with cases so they begin to sort through Gigabytes worth of data. They finish in record time and get the evidence back to the agents same day.

Day Three (late night): Investigators use the information obtained so far so they can process a subpoena to search the culprits machine. They will need this signed by a Judge.

Day Four (early morning): Judge makes time out of his or her schedule to sign the subpoena. Agents take signed subpoenas, scan them and send them to Germany. German authorities take subpoenas and need to determine if a crime occurred. They go to their district attorney.

Day Five (early morning Germany): German District Attorney is confused concerning technology. Calls in German experts in hopes of getting on an International conference call. Will have to wait until 2PM as there is a six hour difference.

Day Five (early morning USA): German officials and US officials discuss what occurred. Germans now understand however, the German courts are closed. German District Attorney will present the matter to a judge first thing.

Day Six (early morning Germany): German judge signs warrant to seize and search machines located at an Internet cafe. This includes all video of anyone entering the cafe, who may have rented a machine and so forth. German authorities seize machines in order to analyze what occurred.

Day Six (late night Germany): German authorities weren't too busy to analyze machines, discovered in record breaking time, someone in the Philippines compromised the machine in the Internet cafe...

Day Six (early morning mid afternoon in the USA): German authorities break the news to the US law enforcement agency... Dead end? LEO now needs to begin the same six day process aimed at the other country.

Now if you believe this could all occur within even two to three weeks, you would be wrong not to mention that, when this scenario occurs in countries who don't play well with one another, the buck will stop there. This is always the case between say, China, and the United States.

There is little cross collaboration between law enforcement groups on these ends when it comes to cybercrime. Hence the ongoing running "hacker theme" - "the buck stops in China."

Physical versus Networked

In the physical world, we have the rules in place to defend ourselves, our business, our family, our livelihood. We also are aware that most societies have law enforcement to ensure that individuals have the right to question their accuser, be treated fairly (even though they're not treating us fairly), and due process. In a scenario where we are attacked, we are almost expected to contact law enforcement as opposed to slugging it out.

In a slugfest, one can be sure that both parties will be arrested until the mess is sorted out. In the physical world, this partially works because law enforcement can see and arrest two physical individuals. In a networked world, as documented in the fictitious instance above - days one through six, calling any authorities does little since so much time will elapse before the attacker is so far gone any remnants of their identity would likely be useless.

Bad Bad Landlords

Landlords in the United States have responsibilities to meet and there are laws that cover these responsibilities in detail. For example, if a landlord rents to an individual that deals drugs out of the rental,:

The landlord may face fines stemming from various federal, state, city or local laws that are designed to prevent landlords from having criminal activity take place in their rental properties.

Any person that is injured or otherwise bothered by drug dealers in a landlord's rental properties -- be it another tenant or someone in the community -- may sue the landlord, claiming that the rental property has become a public nuisance or poses a danger to the community.

The police or other law enforcement officers may try to impose criminal liability on the landlord if the landlord knowingly allowed drug dealing on the rental property.

The government may seize the landlord's rental property and other assets, in extreme cases.

Finally, as a practical manner, drug dealing in or about the rental property will probably decrease the value of the rental property, making it harder to find good tenants. [3]

On the Internet, we have service providers, web hosting, cloud hosting and so forth. Many of these providers have "terms of service" agreements stating what is, and is not allowed. Many providers do not enforce these terms of service agreements. From experience, I have complained to a multitude of service providers only to see canned responses that go nowhere.

My systems are still attacked, the clients still go about business as usual using certain providers. There are no known laws in place to hold the service providers as accountable as a crooked landlord would be held accountable. This creates a wild west on the Internet and there is no visible or even logical method to attack this problem.

Even if a country did make a law, the law would only apply to an attacker or service provider in that country. The moment an attacker is outside of the jurisdiction, law enforcement agencies will go through the same "six days." Time, money and resources will be wasted, the attacks will continue.

Many landlords want to do the right thing. Many will not allow nefarious activities to take place on their property. The same holds true for some service providers however, in "the rush to make money," many providers never thought about getting caught up in such a crossfire. There are mechanisms to detect and stop malicious activity from leaving a network [4,5], but those are rarely if ever implemented.

With all this explained, the question becomes "what can we do to maintain our rights without being labeled the aggressor?" Personally, I go back to the Golden Rule [6], treat others as you would want to be treated. This could mean that I could start my due diligence by contacting the provider: "Your tenant has been attacking me..." to see where that goes. If the attacks continue, what are my options?

Option A - Counter-Strike

An attacker is decimating my infrastructure. I have contacted their provider who turned a deaf ear. I am now losing hundreds of thousands of dollars per hour and at this pace, I could lose my business. After analyzing the source of the attack, I determine that I will fight fire with fire. I create and launch a denial of service attack [7] to shut down the attackers machine.

Pros - I slowed down the attack in which I have gained enough time to figure out a better defense.

Cons - The attacker compromised a company, and I am now attacking yet another victim.

Argument on the cons: if a provider had performed their due diligence to secure their machine, it would have never been compromised and used to attack other machines.

Option B - Law Enforcement

An attacker is decimating my infrastructure. I have contacted law enforcement but the attack is continuing while law enforcement begins step one of the "six days" step program.

Pros - I acted morally in good faith and "did the right thing."

Cons - my business is suffering, I will eventually have to lay off staff at this point, law enforcement will ultimately hit a dead end as the intelligence on the attacker points to a known RBN [8] like provider.

Option C - Defense in Depth

An attacker is decimating my infrastructure. I have purchased and deployed every security technology I can think of but the attackers are using a botnet to attack my infrastructure.

Pros - I have made the sales quota of someone in the security industry. I have acted in good faith, I can buy cyberinsurance after performing due diligence.

Cons - I am still losing money because of the attack, I have wasted money on useless technologies, I have added a lot of network and technological overhead to my company. I have burdened my staff with learning to configure and maintain bloated and useless technology.

Take your pick, the options all have their pros and cons with each option being useless at the end of the day however, in a counterattack scenario, there is a fourth option.

Option D - Counter-Hack Annihilation

An attacker is decimating my infrastructure. I have purchased and deployed every security technology I can think of. I have contacted law enforcement as a matter of relevance but I know they will not be able to do much. I have given the service provider two fair warnings. I now fight fire with fire.

I mimic (spoof) the attacker and have the attacker go after other criminal organizations. I launch large scale exploits against the attacker to counter-compromise their machines. After gaining access, I document every bit of evidence I can about the attacker's identity. I send this information not only to law enforcement, but I publicize the identity of the attacker. After gaining access and gathering their information, I encrypt their machines to lock them out.

Pros - attack against my infrastructure will stop until the attacker gets back on track. Attacker is publicly identified to not only law enforcement, but to the public at large. Provider is ousted as a "bad landlord."

Cons - committed a crime trying to defend myself. Or have I?

Imagine for a moment I created the following terms of service agreement on my infrastructure: "By accessing this site, you agree to be a law abiding Internet Citizen. By entering and or connecting to this site, you agree that any variance from this rule allows us to counter-strike..." What then? Can you see a malicious attacker calling their law enforcement authority with the following argument: "Hello I am calling to report a crime. I was hacking into a company and they counter-hacked me. Now my drive is encrypted and I can no longer hack."

Or perhaps the provider calling law enforcement: "I am calling to report a crime. We have a client who has been hacking into machines using our infrastructure. Well the victim returned the favor and locked them out of their own machine and sent a DoS attack that shut down the attacker."

Ultimately, I envision counterattacks as being the closest to self defense. There are plenty of arguments for and against it. At the end of the day, I would rather focus on protecting my business. Paying my employees. Overall, just making it as a business owner online.

There are little protections for most businesses and unless governments across the world realize the underlying damages that can be caused, attackers will continue hacking away knowing there is little to no punishment to be had. For the attackers, it's a dream come true yet for a business owner, it's a horrible nightmare.


[1] http://en.wikipedia.org/wiki/Right_of_self-defense
[2] http://en.wikipedia.org/wiki/Second_Amendment_to_the_United_States_Constitution
[3] http://realestate.findlaw.com/landlord-tenant-law/faq-landlord-responsibilities-criminal-activities.html
[4] http://www.faqs.org/rfcs/bcp/bcp38.html
[5] http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ft_urpf.html
[6] http://en.wikipedia.org/wiki/Golden_Rule
[7] http://en.wikipedia.org/wiki/Denial-of-service_attack
[8] http://en.wikipedia.org/wiki/Russian_Business_Network

Cross-posted from Infiltrated

Possibly Related Articles:
Legal Incident Response Attacks hackers Cyber Warfare Ethics Attribution cyberweapons Retaliation Offensive Security
Post Rating I Like this!
Krypt3ia I have been quiet lately because there is too much nonsense going on and no matter how I may provide context or opposing view points, eloquently, or in my usual visceral manner, naught comes of it. I appreciate this article's pointing out the landscape, but, I am ultimately flummoxed to ponder the idea of allowing corporations carte blanche to attack back on any perceived attack on them.


As I said in the article above, I just think this is the worst idea we could ever allow to occur. Condoned or not though, I am sure this goes on today and will only be propagated more through today's cyber-war fervor in our government and military postures. We have found that our legal system is ill equipped to handle the technical issues surrounding digital crime and warfare, and yet we entertain the idea of all out counter-strikes as an option at all as remedy to private networked warfare?

J, I know you are not completely condoning this, at least that is my read here. You know the landscape, and you know the tech, do you really think this is at all an equivalency argument to 2nd amendment rights?

I cannot...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.