Moderator: Rhea Siers, Scholar in Residence at the GW Center for Cyber and Homeland Security (CCHS), Special, Counsel – Panel 3 - Controlling Cybersecurity, Zeichner Ellman & Krause LLP, Cyber Senior Advisor, RANE the Troops: "Active Network Panelists: Defense" - Is it Legal David Cass, Chief Information Security Officer, IBM Cloud & SaaS Operational Services Aristedes Mahairas, Special in the US and Agent in Charge of Special Operations/Cyber Division of the New York Office, FBI Abroad? Roland Cloutier, VP, Chief Security Officer, ADP Rhea Siers, David Cass, Aristedes Mahairas, Roland Cloutier, Scholar in Residence at the Chief Information Security Officer, Special Agent in Charge of Vice President, GW Center for Cyber and IBM Cloud & SaaS Special Operations/ Chief Security Officer, Homeland Security (CCHS) Operational Services Cyber Division of the ADP Special Counsel – New York Office, FBI Cybersecurity, Zeichner Ellman & Krause LLP Cyber Senior Advisor, RANE Network (c) Journal of Law & Cyber Warfare. All Rights Reserved. 2 This is not legal advice nor should it be considered legal advice This presentation and the comments contained therein represent only the Disclaimer personal views of the participants, and does not reflect those of their employers or clients This presentation is offered for educational and informational uses only (c) Journal of Law & Cyber Warfare 2017. All Rights Reserved Active Defense: Definitions Dictionary of Military and Associated Terms • The employment of limited offensive actions and counterattacks to deny a contested area or position to the enemy. SANS Institute • The process of analysts monitoring for, responding to, learning from, and applying their knowledge to threats internal to the network. Center for Cyber & Homeland Security | The George Washington University • A spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense, that fall into two categories: (1) technical interactions between defender and attacker, and (2) operations that enables defenders to collect intelligence on threat actors and indicators on the internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behavior of malicious actors. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 4 Active Defense Spectrum Annoyance Attribution Attack Network protocol Honeynets, honeypots, analyzers, beacons Botnet takedowns, White- tarpits, sandboxes, denial (notification & hat ransomware, asset deception identification), intelligence rescue missions, hack back gathering on the dark web (c) Journal of Law & Cyber Warfare. All Rights Reserved. 5 Domestic Law Governing ‘Active Defense’ (c) Journal of Law & Cyber Warfare. All Rights Reserved. 6 Governing U.S. Law • Wiretap Act • Prohibits interception of wire, oral, or electronic communications without consent. • Federal Law requires one party consent. • Parallel State law may require two party consent. • Cybersecurity Act of 2015 • Establishes a mechanism for cybersecurity information sharing. • Creates an anti-trust law exemption for cybersecurity information sharing. • Computer Fraud and Abuse Act • Prohibits intentional accessing a computer without authorization or exceeding authorized access and obtains information that has been determined to require protection against unauthorized disclosure. • The CFAA prohibits: Obtaining national security information; Accessing a computer and obtaining information; Trespassing in a government computer; Accessing a computer to defraud and obtain value; Intentionally damaging a protected computer by knowing transmission, or recklessly or negligently causing damage and loss by intentional access; Trafficking in passwords; and Extortion involving computers. An ‘Active Defense’ Exception to the CFAA A proposed amendment to the CFAA was released by Rep. Tom Graves on May 25, 2017: “The provisions of [the CFAA] shall not apply with respect to the use of attributional technology in regard to a defender who uses a program code, or command for attributional purposes that beacons or returns locational or attributional data in response to a cyber intrusion in order to identify the source of an intrusion. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 8 Gray Zone in the Law (c) Journal of Law & Cyber Warfare. All Rights Reserved. 9 Gray Zone Example • Google “Operation Aurora” hack (2009) • Google retaliated by supporting a mission to operate outside of its network to track down the attackers. • Google’s search lead them to a server in Taiwan, and found out the attacks were likely being controlled from China and involved at least 30 targeted companies. • Google shared its findings with law enforcement, the intelligence community, the companies involved, and the public • To date the government has never prosecuted a single company for engaging in active defense measures similar to Googles, although it does warn of its authority to do so. Legislative Initiative to Allow Limited “Hacking Back”: Active Cyber Defense Certainty Act • Objective: disincentivize criminal hacking • Amends CFAA to allow limited active defense • Allows hacking victims to retaliate & destroy stolen data using specific active defense techniques • Prohibits destruction of data belonging to another person • Reporting requirements • 2 year sunset Other Countries Laws Governing ‘Active Defense’ (c) Journal of Law & Cyber Warfare. All Rights Reserved. 12 Other Nations United Kingdom • Similar to the United States • Ambiguity at the tactical level with some counsel arguing certain measures to gain attacker related information are permissible (e.g. injection code). France • French government has ownership spanning from banking to energy to telecommunication. • France has actively engaged in industrial espionage. Germany • “The Hacker Paragraph” – German Criminal Code. • Acts in preparation for data espionage or phishing are criminalized. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 13 International Law Governing ‘Active Defense’ (c) Journal of Law & Cyber Warfare. All Rights Reserved. 14 International Law Governing the Use of Force & Self Defense Use of Force Under Article 2(4) • “The Organization and its Members, in pursuit of the Purposes stated in Article 1, shall act in accordance with the following Principles. [ . ] • 4. All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” International Law Governing the Use of Force & Self Defense Self-Defense Under Article 51 • “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations…” More detail on these provisions will be discussed in panel 4 (c) Journal of Law & Cyber Warfare. All Rights Reserved. 16 ‘Active Defense’ Can Only be undertaken by Nations, and a Corporation can only rely on past government conduct in its nation as to whether the Government will ‘hack back’ on their behalf. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 17 Questions? (c) Journal of Law & Cyber Warfare. All Rights Reserved. 18 19 © 2017 Law & Forensics. All rights reserved. Appendix (c) Journal of Law & Cyber Warfare. All Rights Reserved. 20 Rhea Siers Scholar in Residence at the GW Center for Cyber and Homeland Security (CCHS) Special Counsel – Cybersecurity, Zeichner Ellman & Krause LLP Cyber Subject Matter Expert, RANE Network Contact: E: [email protected] URL: https://www.linkedin.com/in/rhea-siers-69904255 Rhea Siers has an extensive operational and academic background in cyber activities, policy and research. Ms. Siers retired as a member of the Defense Intelligence Senior Executive Service after over thirty years at the National Security Agency (NSA) including postings at the Federal Bureau of Investigation (FBI) and Department of State. Ms. Siers served in a variety of operational, legal, and policy positions dealing with some of the most critical issues facing the US Intelligence Community including cyber operations, information sharing, sharing, counterterrorism and counterintelligence. She is currently Scholar In Residence at the George Washington University Center for Cyber and Homeland Security, where she is focused on research, education and policy on Cybersecurity threats. Ms. Siers was also honored as a 2015 "Cybersecurity Trailblazer" by The National Law Journal. Ms. Siers is also an adjunct faculty member of George Washington University where she teaches courses on Counterterrorism Policy, Middle East Intelligence, Intelligence Oversight, Intelligence Operations and Transnational Security issues. She is co-author of “Cyber Warfare and the Law” published by Thomson Reuters. Ms. Siers received her B.A. in Political Science from Barnard College, Columbia University, New York, an MSc in International Relations and Middle East Politics from the London School of Economics and Political Science, a J.D. from the Washington College of Law, American University, and an MIPP in Transnational Security Issues from the Elliott School of International Affairs, George Washington University. (c) Journal of Law & Cyber Warfare. All Rights Reserved. 21 David A. Cass Chief Information Security Officer, IBM Cloud & SaaS Operational Services Contact: M: (929) 237 – 6986 E: [email protected] URL: https://www.linkedin.com/in/dcass001/ Mr. Cass is the