The ubiquity of the internet is an inspiration and terrifying truth that we face in the 21st century. On one hand, the unprecedented level of interconnectivity and the accessibility of facts and information facilitate progress in a way that has never before been fathomed. But the same system that benefits corporate growth and government communications also leaves everyone vulnerable, from the military strategist to the uninformed consumer.
As there is no such thing as an idiot proof tool, there’s no such thing as an accident proof work environment. The only absolute defense from cyber-attack is to remove oneself from the internet. As this is not a practical option in todays interconnected economic environment, I do not believe it is possible for an organization to completely protect their data from the ever expanding arsenal of electronic attack, the repercussions of which are almost too terrible to completely fathom. Our digital dependence, while enabling a higher quality of life, has prepared us to drop to new lows, in the instance of its absence.
“Contrary to popular belief, the Internet is so widely used and concentrated in so few backbone points that a coordinated attack actually could destroy its functioning. For many years, backup facilities have included redundant computers and all of their associated peripherals, often in remote locations. Too often, however, alternated communications facilities are not provided. Unless this is rectified, the same disaster that brings down one installation could disable all.” [1]
Due to the vulnerability of our electronic infrastructure, any method of protecting the internet should be considered, if not implemented, in the defense of our critical information pipeline. This of course includes better practices, like strong passwords, hardware firewalls, and up to date patches and utilities. But a solid defense can only take a private organization so far, and does nothing to deter or prevent a dedicated attack. And of course, better practices only defend against the known. In the interest of solid security, a private organization must do more than just bolster their defenses.
As the axiom goes, the best defense is a good offense, and without actively testing every possible aspect of a theoretical attack, a private organization is blindly burying their head in the sand, and can only hope that the next attack won’t completely decimate their organization and operations. We are still treading unknown territory when it comes to cyberattacks, and due to the vagaries of the nature of cyber crime, any method of vulnerability testing and information gathering must be considered.
“The starting challenge in examining cyber-attacks may seem mundane, but is a critical starting point for any reform effort—that is, defining a “cyberattack.” The terms “cyber-attack,” “cyber-warfare,” and “cyber-crime” are frequently used with little regard for what they are meant to include. This lack of clarity can make it all the more difficult to design a meaningful legal response. We therefore begin this Article in Part I by defining these terms. We define “cyber-attack” as “any action taken to undermine the functions of a computer network for a political or national security purpose.” We also explain the difference between “cyber-attacks,” “cyber-warfare,” and “cyber-crime,” and describe three common forms of cyber-attacks: distributed denial of service attacks, planting inaccurate information, and infiltration of a secure computer network. … The international law of countermeasures does not define when a cyber-attack is unlawful. Instead it simply provides that when a state commits an international law violation, an injured state may respond with a reciprocal act. As explained above, some cyber-attacks that do not rise to the level of an armed attack nonetheless violate the customary international law norm of nonintervention. These violations may entitle a harmed state to use countermeasures to bring the responsible state into compliance with the law.” [2]
I believe that in the current vagaries of International cyber law, especially considering every effective attack has some element of the unknown at its core, we should be allowed to conduct active attacks. We don’t know what we don’t know, and at times the only defense is to engage in territories unknown and have an active presence in otherwise unethical environments.
That said, it should be countered with a heavy dose of accountability. Every “offensive action” should be logged, and submitted for review, and any damage done in the name of preventative measure should be answered for. No party should be able to act with complete anonymity and impunity, no matter the initial intentions. Too much is at stake to permit inaction, but that does not give ANY organization the authority to stomp on the civil liberties of anyone, even in the alleged interest of damage mitigation of prevention.
Active attacks, if used improperly, have the potential to do more damage than the potential threats they are attempting to prevent. Every action should be in place to prevent unintended collateral damage. By unintended collateral damage, two things are meant: Damages to the existing infrastructure, and violations of privacy and liberty. If in the interest of damage prevention, a private organization conducts exercises pertaining to active defense, in an attempt to gather information about potential aggressors or methods by which potential aggressors could attack the private organizations infrastructure, and in these exercises, inadvertently damages a competitors network, or unknowingly alters system configuration files, they should be held accountable for creating the very damages they sought to prevent, inadvertent or otherwise.
Due to its offensive nature, we should always consider other methods than Active Defense; and when applicable, instead resort to information obfuscation and concealment.
“Information-based deterrence strives to sow doubt in the mind of a potential adversary about the likely outcome of his aggression. This can be done in three ways: turning international opinion against the aggressor, altering his perception of the military correlation of forces in theater, and fostering instability in his country. Information-based deterrence does not require a pure strategy; it can include a combination of two or three options, depending on the circumstances. Although these three mechanisms could also be used during wartime itself as a means of coercing an enemy, history demonstrates that wartime coercion is much more difficult than is deterrence. Therefore, the U.S. military would have a better chance of success with these mechanisms using them within the context of a deterrence effort. Three cautions are important when discussing perception-shaping strategies against other states. First, in recent times, technology has often outpaced international norms and standards. We still do not have a clear sense of which types of perception-shaping activities will be construed as legitimate peacetime behavior and which as casus belli by international organizations and institutions. Therefore, to reduce the risk of inadvertent escalation, it will be necessary to rethink our doctrine for perception shaping periodically in accordance with developing international norms and standards. Second, perception-shaping activities carry a constant threat of “blowback”: Operations designed to manage the opponent’s perceptions may end up distorting our own perceptions to an equal or even greater extent. For example, while it may be advantageous to convince the enemy that U.S. forces are more capable than they actually are, it would be less helpful to convince oneself of that fiction. Yet, because of the need for consistency and secrecy to accomplish perception-shaping objectives, these two effects are, in practice, not completely separable. Third, deterrence of any sort relies on convincing the adversary not to act. While our actions can affect the adversary’s calculus, we must always be prepared for deterrence to fail. For our purposes, this reality means that information-based deterrence is not the complete solution for short-warning attacks. Other means must be developed to cope with the possible failure of information-based deterrence.” [3]
Before engaging in Active Defense, or an Offensive Front, all contingencies must be considered, and the weight of ones actions must be measured against the potential threat the party is attempting to mitigate. There is always another avenue to consider before actively hacking in the name of defense and the repercussions can range from compromising an individual’s identity, to damaging an infrastructure or system configuration, to unofficially declaring cyber war. While Active Defense has its place in any Security Officers arsenal, it should never be a first resort, and should always be used responsibly and cognitively.
[1] Bosworth, S., Kabay, M. E., Whyne, E. (2014). Computer security handbook, vol. 1 & 2 (6th ed.). Indianapolis, IN: John Wiley, 14.3.12
[2] https://www.law.yale.edu/system/files/documents/pdf/cglc/LawOfCyberAttack.pdf
[3] https://www.rand.org/content/dam/rand/pubs/monograph_reports/MR1314/MR1314.ch6.pdf