International law and private actor active cyber defensive measures.

• Author: Rosenzweig, Paul

INTRODUCTION I. DEFINING HACK BACK II. INTERNATIONAL CONVENTIONS AND CUSTOMARY INTERNATIONAL LAW III. NON-U.S. DOMESTIC LAW AND A GROWING OPINIO JURIS IV. BUT IS IT SMART? CONCLUSION INTRODUCTION

Few can doubt that cyber theft and espionage are rampant, costing governments and private sector actors billions, if not tens of billions, of dollars in losses annually. (1) To a large degree, government efforts to reduce the risks of such cyber intrusions have proven unavailing--one need only think of the recent revelations of significant intrusions into more than 140 U.S. companies by Chinese cyber hackers affiliated with the People's Liberation Army. (2)

The failure of the government to provide adequate protection has led many theoreticians to suggest the need for private sector self-help. After all, the argument goes, if the government is unable (or perhaps unwilling) to provide an effective defense available to all citizens on the network, then it is incumbent on private sector actors to defend themselves. More to the point, if the government is unable (or perhaps unwilling) to take or threaten to take offensive actions that would deter cyber attacks, then it may be likewise incumbent on private sector actors to engage in forms of active defense that at times look an awful lot like offensive action. While these private sector actions take many forms, they go by the collective name of "hack back"--the idea that private sector actors may hack back at the hackers who are attacking them.

In the United States, scholars have begun to debate the legality of hack back. To date, that examination has focused exclusively on domestic U.S. law. (3) The discussion is inconclusive, though it is probably fair to say that the weight of analysis favors the conclusion that active hack back by private sector U.S. actors violates the Computer Fraud and Abuse Act (CFAA). (4) But that conclusion hardly ends the matter--laws that are made, after all, can be unmade. And if we were to conclude as a matter of policy that it is appropriate to allow private sector actors to conduct active hack back defense, there might well be an appetite to change the law. (5)

U.S. authorization of private sector offensive action, however, would hardly end the discussion. Indeed, it would merely begin it. Cyberspace is, after all, an internationalized, trans-border domain--best estimates are that roughly 2.5 billion people and more than 1 trillion "things" are connected to the network. (6) Hacking attacks on U.S. companies often originate overseas and transit foreign servers. Thus, any U.S. hack back would almost inevitably involve other countries and their laws. Yet, to date, little or no consideration has been given to the question of whether private sector hack back violates (or is authorized by) the domestic laws of other nations or any international customary law or conventions.

This short Article seeks to fill that gap with some preliminary thoughts regarding the application of non-U.S. law to U.S. private sector hack back. The fundamental conclusions are two-fold: (1) To the extent any customary international law exists, it is likely to discourage private sector self-help outside the framework of state-sponsored action; and (2) almost certainly, hack back by a U.S. private sector actor will violate the domestic law of the country where a non-U.S. computer or server is located. In light of these twin conclusions, U.S. companies considering offensive cyber operations should proceed with caution.

1. Defining Hack Back

   What is a "hack back"? We can't consider the question of whether hack back is legal if we don't share a common definition of the term. Thus, any discussion of hack back must begin with some working conception of the term's exact meaning. In other words, what techniques are being considered? After all, legality may often turn on the effect or scope of the techniques included within the boundaries of the term--one can easily imagine certain types of non-destructive actions, for example, that might be more readily approved than more aggressive, destructive activity.

   Provisionally, let me begin by offering the following definition of hack back, also sometimes called an "active cyber defense":

   [T]he synchronized, real-time capability to discover, detect, analyze, and mitigate threats. It operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. While intrusions may not always be stopped at network boundary, an entity may operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on an entity's network. (7) That's a mouthful. In practice, the definition is very broad and covers a wide range or continuum of activities. Some efforts are very passive--we might call them "internal self-defense." Other techniques are more "active." Though the dividing line is not clear, there are two distinctions that will pretty well delimit the various possible techniques we are considering: (1) Is the defender acting on its own network or is it acting outside its network on neutral third-party servers or on the systems of its opponent? And (2) when the defender acts, is it having a discernible effect on its opponent or is it merely monitoring activity without making any actual change in the programming or data?

   Answering these questions gives us some understanding of the range of potential activities that might be characterized as "hack back." First, consider the type of defense that could be characterized as "internal self-defense"--activity within one's own network. Such activities might include (and this is only a partial list):

   * the creation of attractive honeypots (8) with surreptitious payloads that enable a defender to track the attacker inside the defender's own system or to observe efforts to remove data;

   * using threat information and intelligence to screen or block incoming traffic associated with those threat indicators (as, for example, blocking suspect IP addresses);

   * cutting off network access when certain types of internal data are being manipulated so as to prevent their exfiltration;

   * using canary trap (9) markings on data so that when and if it is re-used the illegal activity will be readily identified.

   We can also imagine far more aggressive and disruptive activities that operate beyond the boundaries of the defender's network and have effects at the attacker's location, or at intermediate locations. These types of "Active Defense" (which may actually seem like "offense" to many) could include (and, again, this is only a partial list):

   * using the payloads already described to identify intermediate or originating server sites;

   * going beyond identification to take some action against the intermediate or originating server sites that would cause the data exfiltration or collection activities to stop;

   * using "armed" payloads (in effect, hacker's tools, like zero-day exploits (10)) that cause more affirmative harm, either at the adversary's originating control computer or, possibly, even within the systems of the ultimate user of the stolen data (who may, or may not, be aware of the data's origin).

   Plainly this definition is incomplete--it is more descriptive than normative. And even to the extent that it attempts to be descriptive, many more techniques could be imagined (and likely will be). In the end, the proliferation of defensive techniques is so great that a more precise definition might be impossible to craft.

   The location of a "network boundary," for example, is often indistinct and subject to dispute. But the fundamental precepts are unlikely to change--the extensional, definitional distinction is between techniques that relate to an actor's own system and ones that relate to systems other than the actor's own. (11)

   Taking all of this together, we might conceptualize the definitional/ typology problem as involving the following questions: (12)

   * Is the defensive effort inside or outside your network?

   * Does it only involve observation of your opponent?

   * If not, does it involve accessing your opponent's payload or data?

   * Does your effort involve disrupting or perhaps even destroying your opponent's network?

   Establishing a typology of private sector self-defense actions would have a number of positive benefits. First and foremost, if we get the typology right, it will help to identify important definitional questions that the law and policy must answer. We need, for example, to define legally what constitutes a network. We probably also need to identify the difference between attribution techniques and prevention techniques.

   Second, if we get the definitions right, or close to right, a typology then helps us identify the appropriate legal regimes that would apply in various domains. We can ask a sensible question, like, "what should be the legal limits of a private sector actor's off-network attribution efforts that have no appreciable effect?" and actually mean to ask something like, "is this beaconing technique legal?" And, finally, of course, in the absence of a typology we can't discuss the application of domestic law, much less international law.

2. International Conventions and Customary International Law

   To begin, we must answer a reasonable question: Is international law even relevant to the question of private sector hack back? A fair first approximation of the answer to this question would be, "No, it isn't. Not at all."

   At least two independent and important reasons support this conclusion. First, of course, a quick survey of existing international instruments makes it clear that private sector offensive cyber activity is not mentioned. Thus, as a formal matter, current international law is completely silent on the topic. Second, and rather more fundamentally, with very limited exceptions, (13) international law is directed at nation-state actors and is intended to...