Active Defense: Definitions

Moderator: Rhea Siers, Scholar in Residence at the GW Center for Cyber and Homeland Security (CCHS), Special, Counsel – Panel 3 - Controlling Cybersecurity, Zeichner Ellman & Krause LLP, Cyber Senior Advisor, RANE the Troops: "Active Network Panelists: Defense" - Is it Legal David Cass, Chief Information Security Officer, IBM Cloud & SaaS Operational Services Aristedes Mahairas, Special in the US and Agent in Charge of Special Operations/Cyber Division of the New York Office, FBI Abroad? Roland Cloutier, VP, Chief Security Officer, ADP Rhea Siers, David Cass, Aristedes Mahairas, Roland Cloutier, Scholar in Residence at the Chief Information Security Officer, Special Agent in Charge of Vice President, GW Center for Cyber and IBM Cloud & SaaS Special Operations/ Chief Security Officer, Homeland Security (CCHS) Operational Services Cyber Division of the ADP Special Counsel – New York Office, FBI Cybersecurity, Zeichner Ellman & Krause LLP Cyber Senior Advisor, RANE Network

This presentation and the comments contained therein represent only the Disclaimer personal views of the participants, and does not reflect those of their employers or clients

This presentation is offered for educational and informational uses only

Dictionary of Military and Associated Terms • The employment of limited offensive actions and counterattacks to deny a contested area or position to the enemy. SANS Institute • The process of analysts monitoring for, responding to, learning from, and applying their knowledge to threats internal to the network. Center for Cyber & Homeland Security | The George Washington University • A spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense, that fall into two categories: (1) technical interactions between defender and attacker, and (2) operations that enables defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors.

Annoyance Attribution Attack

Network protocol Honeynets, honeypots, analyzers, beacons Botnet takedowns, White- tarpits, sandboxes, denial (notification & hat ransomware, asset deception identification), intelligence rescue missions, hack back gathering on the dark web

(c) Journal of Law & Cyber Warfare. All Rights Reserved. 6 Governing U.S. Law • Wiretap Act • Prohibits interception of wire, oral, or electronic communications without consent. • Federal Law requires one party consent. • Parallel State law may require two party consent. • Cybersecurity Act of 2015 • Establishes a mechanism for cybersecurity information sharing. • Creates an anti-trust law exemption for cybersecurity information sharing. • Computer Fraud and Abuse Act • Prohibits intentional accessing a computer without authorization or exceeding authorized access and obtains information that has been determined to require protection against unauthorized disclosure. • The CFAA prohibits: Obtaining national security information; Accessing a computer and obtaining information; Trespassing in a government computer; Accessing a computer to defraud and obtain value; Intentionally damaging a protected computer by knowing transmission, or recklessly or negligently causing damage and loss by intentional access; Trafficking in passwords; and Extortion involving computers. An ‘Active Defense’ Exception to the CFAA

A proposed amendment to the CFAA was released by Rep. Tom Graves on May 25, 2017: “The provisions of [the CFAA] shall not apply with respect to the use of attributional technology in regard to a defender who uses a program code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of an intrusion.

• Google “Operation Aurora” hack (2009) • Google retaliated by supporting a mission to operate outside of its network to track down the attackers. • Google’s search lead them to a server in Taiwan, and found out the attacks were likely being controlled from China and involved at least 30 targeted companies. • Google shared its findings with law enforcement, the intelligence community, the companies involved, and the public • To date the government has never prosecuted a single company for engaging in active defense measures similar to Googles, although it does warn of its authority to do so. Legislative Initiative to Allow Limited “Hacking Back”: Active Cyber Defense Certainty Act

• Objective: disincentivize criminal hacking • Amends CFAA to allow limited active defense • Allows hacking victims to retaliate & destroy stolen data using specific active defense techniques • Prohibits destruction of data belonging to another person • Reporting requirements • 2 year sunset Other Countries Laws Governing ‘Active Defense’

United Kingdom • Similar to the United States • Ambiguity at the tactical level with some counsel arguing certain measures to gain attacker related information are permissible (e.g. injection code).

France • French government has ownership spanning from banking to energy to telecommunication. • France has actively engaged in industrial espionage.

Germany • “The Hacker Paragraph” – German Criminal Code. • Acts in preparation for data espionage or phishing are criminalized.

Use of Force Under Article 2(4) • “The Organization and its Members, in pursuit of the Purposes stated in Article 1, shall act in accordance with the following Principles. [ . . . ] • 4. All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” International Law Governing the Use of Force & Self Defense

Self-Defense Under Article 51 • “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations…”

More detail on these provisions will be discussed in panel 4

(c) Journal of Law & Cyber Warfare. All Rights Reserved. 16 ‘Active Defense’ Can Only be undertaken by Nations, and a Corporation can only rely on past government conduct in its nation as to whether the Government will ‘hack back’ on their behalf.

(c) Journal of Law & Cyber Warfare. All Rights Reserved. 20 Rhea Siers Scholar in Residence at the GW Center for Cyber and Homeland Security (CCHS) Special Counsel – Cybersecurity, Zeichner Ellman & Krause LLP Cyber Subject Matter Expert, RANE Network

Contact: E: [email protected] URL: https://www.linkedin.com/in/rhea-siers-69904255 Rhea Siers has an extensive operational and academic background in cyber activities, policy and research. Ms. Siers retired as a member of the Defense Intelligence Senior Executive Service after over thirty years at the National Security Agency (NSA) including postings at the Federal Bureau of Investigation (FBI) and Department of State.

Ms. Siers served in a variety of operational, legal, and policy positions dealing with some of the most critical issues facing the US Intelligence Community including cyber operations, information sharing, sharing, counterterrorism and counterintelligence. She is currently Scholar In Residence at the George Washington University Center for Cyber and Homeland Security, where she is focused on research, education and policy on Cybersecurity threats. Ms. Siers was also honored as a 2015 "Cybersecurity Trailblazer" by The National Law Journal.

Ms. Siers is also an adjunct faculty member of George Washington University where she teaches courses on Counterterrorism Policy, Middle East Intelligence, Intelligence Oversight, Intelligence Operations and Transnational Security issues. She is co-author of “Cyber Warfare and the Law” published by Thomson Reuters. Ms. Siers received her B.A. in Political Science from Barnard College, Columbia University, New York, an MSc in International Relations and Middle East Politics from the London School of Economics and Political Science, a J.D. from the Washington College of Law, American University, and an MIPP in Transnational Security Issues from the Elliott School of International Affairs, George Washington University. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 21 David A. Cass Chief Information Security Officer, IBM Cloud & SaaS Operational Services

Contact: M: (929) 237 – 6986 E: [email protected] URL: https://www.linkedin.com/in/dcass001/ Mr. Cass is the Chief Information Security Officer for IBM. He has global responsibility for all aspects of security practices, processes, and policies across the IBM Cloud & SaaS business unit.

Previously Mr. Cass served as the SVP & Chief Information Security Officer for Elsevier. Where he lead an organization of experienced legal, risk and security professionals that provided data protection, privacy, security, and risk management guidance on a global basis for Elsevier. David has extensive experience in IT security, risk assessment, risk management, business continuity and disaster recovery, developing security policies and procedures. He has played a key role in leading and building corporate risk & governance and information security organizations in the financial sector. As the Senior Director of Information Security Risk and Governance for Freddie Mac, David rebuilt the risk and governance function and developed a team to provide risk assessments, methodologies, tools, services, and training to improve the organization’s capabilities and maturity. Prior to that he was Vice President of Risk Management for JPMorgan Chase, and was responsible for providing an accurate assessment of the current risk management state, contributing to the future direction of risk management, continuity and disaster recovery capabilities for the organization.

David has a MSE from the University of Pennsylvania, and a MBA from MIT. He is also a frequent speaker at high profile industry conferences, and serves on the Board of Directors for PixarBio Corporation.

Contact: E: [email protected] URL: https://www.linkedin.com/in/aristedes-mahairas-3164b5120/

Special Agent in Charge (SAC) Aristedes Mahairas entered on duty with the Federal Bureau of Investigation (FBI) in 1996. He has served as the FBI’s Legal Attache’ in Athens, Greece, and was a Supervisor on the Joint Terrorism Task Force. SAC Mahairas also served as a Section Chief of the Strategic Operations Section in the Counterterrorism Division of FBI Headquarters, and as the Chief of Staff to the Executive Assistant Director of the National Security Branch. In 2015, FBI Director James B. Comey appointed him as the SAC of the FBI’s New York Special Operations/Cyber Division. Prior to his entry into the FBI, SAC Mahairas served as a Police Officer in New York City. He received a Bachelor’s of Arts degree in Political Science from Baruch College and his Juris Doctor from New York Law School.

Contact: E: [email protected] URL: https://www.linkedin.com/in/rolandcloutier/

As the CSO of one of the world's largest providers of human capital management solutions, Roland Cloutier has functional and operational responsibility for ADP's cyber, information protection, risk, workforce protection, crisis management and investigative security operations worldwide. Roland's depth of global protection and security leadership experience includes the management of strategic converged security and business protection programs. Prior to ADP, he served as CSO of EMC, where he spearheaded protection of the company's worldwide business across commercial and government sectors. Roland has also held executive security management roles at consulting and managed security service organizations and served the first half of his more than 25 year career in federal law enforcement.

(c) Journal of Law & Cyber Warfare. All Rights Reserved. 25 UK Computer Crime Law Unauthorized access to computer material. 1. A person is guilty of an offence if— a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured ; b) the access he intends to secure, or to enable to be secured, is unauthorised; and c) he knows at the time when he causes the computer to perform the function that that is the case. 2. The intent a person has to have to commit an offence under this section need not be directed at— a) any particular program or data; b) a program or data of any particular kind; or c) a program or data held in any particular computer. 3. A person guilty of an offence under this section shall be liable— a) on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both; b) on summary conviction in Scotland, to imprisonment for a term not exceeding months or to a fine not exceeding the statutory maximum or to both; c) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine or to both. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 26 China’s Computer Crime Law

• Article 285. Whoever violates state regulations and intrudes into computer systems with information concerning state affairs, construction of defense facilities, and sophisticated science and technology is be sentenced to not more than three years of fixed- term imprisonment or criminal detention.

• Article 286. Whoever violates states regulations and deletes, alters, adds, and interferes in computer information systems, causing abnormal operations of the systems and grave consequences, is to be sentenced to not more than five years of fixed-term imprisonment or criminal detention; when the consequences are particularly serious, the sentence is to be not less than five years of fixed-term imprisonment.

27 German Computer Crime Law

• Section 202a. Data Espionage: (1) Any person who obtains without authorization, for himself or for another, data which are not meant for him and which are specially protected against unauthorized access, shall be liable to imprisonment for a term not exceeding three years or to a fine . (2) Data within the meaning of subsection 1 are only such as are stored or transmitted electronically or magnetically or in any form not directly visible. • Section 303a. Alteration of Data (1) Any person who unlawfully erases, suppresses, renders useless, or alters data (section 202a(2)) shall be liable to imprisonment for a term not exceeding two years or to a fine. (2) The attempt shall be punishable. • Section 303b. Computer Sabotage (1) Imprisonment not exceeding five years or a fine shall be imposed on any person who interferes with data processing which is of essential importance to another business, another's enterprise or an administrative authority by: 1. committing an offense under section 300a(1) or 2. destroying, damaging, rendering useless, removing, or altering a computer system or a data carrier. (2) The attempt shall be punishable.