Fordham Intellectual Property, Media and Entertainment Law Journal Volume 24 Volume XXIV Number 2 Volume XXIV Book 2 Article 2 2014 Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet Through Polycentric Governance Amanda Craig Indiana University Maurer School of Law, [email protected] Scott Shackelford Indiana University - Kelley School of Business - Department of Business Law ; Stanford Law School ; Hoover Institution, Stanford University, [email protected] Follow this and additional works at: https://ir.lawnet.fordham.edu/iplj Part of the Intellectual Property Law Commons Recommended Citation Amanda Craig and Scott Shackelford, Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet Through Polycentric Governance, 24 Fordham Intell. Prop. Media & Ent. L.J. 381 (2015). Available at: https://ir.lawnet.fordham.edu/iplj/vol24/iss2/2 This Article is brought to you for free and open access by FLASH: The Fordham Law Archive of Scholarship and History. It has been accepted for inclusion in Fordham Intellectual Property, Media and Entertainment Law Journal by an authorized editor of FLASH: The Fordham Law Archive of Scholarship and History. For more information, please contact [email protected]. Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet Through Polycentric Governance Cover Page Footnote This Article is based on Chapter 3 in SCOTT J. SHACKELFORD, MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS AND RELATIONS: IN SEARCH OF CYBER PEACE (2014). The authors wish to thank Cambridge University Press for granting them permissiong to adapt this material and Brenton Martell for his invaluable research support. This Article is dedicated to Jim and Teresa Craig. This article is available in Fordham Intellectual Property, Media and Entertainment Law Journal: https://ir.lawnet.fordham.edu/iplj/vol24/iss2/2 Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet Through Polycentric Governance Amanda N. Craig* & Scott J. Shackelford† INTRODUCTION .............................................................................. 383 I. AN INTRODUCTION TO REGULATING CYBERSPACE THROUGH POLYCENTRIC GOVERNANCE ....................... 389 II. MITIGATING VULNERABILITIES IN NETWORK ARCHITECTURE AND CODE TO ENHANCE CYBERSECURITY FROM THE BOTTOM UP ....................... 392 A. Securing the Internet’s Physical Infrastructure ...... 392 B. Managing Vulnerabilities in the Logical Infrastructure .......................................................... 395 1. TCP/IP .............................................................. 395 2. DNS .................................................................. 397 3. BGP .................................................................. 399 C. Protocol Fixes ......................................................... 401 1. IPsec ................................................................. 402 2. DNSSEC ........................................................... 405 3. Fixing TCP and BGP ........................................ 407 D. Debugging and Regulating Through Code ............. 409 * J.D. candidate, Indiana University Maurer School of Law; MsC Forced Migration and Refugee Studies, University of Oxford; BS Journalism, Northwestern University. † Assistant Professor of Business Law and Ethics, Indiana University, Senior Fellow, Center for Applied Cybersecurity Research; Distinguished Visiting Fellow, University of Notre Dame. This Article is based on Chapter 3 in SCOTT J. SHACKELFORD, MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS AND RELATIONS: IN SEARCH OF CYBER PEACE (2014). The authors wish to thank Cambridge University Press for granting them permissiong to adapt this material and Brenton Martell for his invaluable research support. This Article is dedicated to Jim and Teresa Craig. 381 382 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. [Vol. 24:381 E. The Threat of Social Engineering to the Content Layer ....................................................................... 413 F. Summary .................................................................. 416 III. UNDERSTANDING THE CYBER THREAT ECOSYSTEM WITHIN A POLYCENTRIC FRAMEWORK ......................... 417 A. From the Foothills of the Himalayas to the Frontiers of Cyberspace: Introducing the Cyber Threat Ecosystem .................................................... 417 B. Toward a Polycentric Approach to Mitigating Technical Vulnerabilities ........................................ 423 This Article analyzes key vulnerabilities in the Internet’s infrastructure, protocols, and code, and how they may be better managed through interventions at multiple levels. In particular, this Article examines the concept of polycentric governance and its applicability to technical vulnerabilities in the Internet. This theory has been championed by proponents such as Nobel Laureate Elinor Ostrom and promotes self-organization and networking regulations at multiple levels to address an array of global issues, from urban crime, to climate change and cyber attacks. However, there has not yet been a consideration of the applicability of this framework to technical Internet vulnerabilities explicitly, which is a conversation this Article seeks to jumpstart. ‘The Internet was designed without any contemplation of national boundaries. The actual traffic in the Net is totally unbounded with respect to geography.’ Vint[on] Cerf, who uttered those words, should know; he helped design the computer protocols that made the Internet possible. And yet the ‘father of the Internet’ is only partially right. Yes, the Internet he designed did not contemplate national boundaries. But no . the Internet is not ‘unbound with respect to geography.’ Cerf’s central mistake, a mistake typically made about the Internet, is to believe that there was something 2014] HACKING THE PLANET, THE DALAI LAMA, AND YOU 383 necessary or unchangeable about the Net’s original architecture. – Harvard Professor Jack Goldsmith and Columbia Professor Tim Wu1 The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead- lined room with armed guards—and even then I have my doubts. 2 – Purdue Professor Gene Spafford INTRODUCTION Dr. Charlie Miller says that he can crash the Internet and take control of some of the most protected computer systems in the world.3 Miller, now a cybersecurity analyst at Twitter,4 was the first person to break into Apple’s iPhone; he discovered a software flaw that would have allowed him to take control of every iPhone on the planet.5 He has won the prestigious Black Hat cybersecurity competition, among numerous other awards, and worked for the NSA for five years.6 In 2010, while presenting at a NATO Committee of Excellence conference on cyber conflict in Tallinn, Estonia, Miller conducted a thought experiment—if he was forced 1 JACK GOLDSMITH & TIM WU, WHO CONTROLS THE INTERNET?: ILLUSIONS OF A BORDERLESS WORLD 58 (2006). 2 QUOTABLE SPAF, http://spaf.cerias.purdue.edu/quotes.html (last visited Jan. 14, 2014) (citing A. K. Dewdney, Computer Recreations: Of Worms, Viruses and Core War, 260 SCI. AM., Mar. 1989, at 110, 110). 3 See Charlie Miller, Presentation at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Conference, in Tallinn, Est. (June 17, 2010), available at http://ccdcoe.org/conference2010/materials/app.html. 4 See Andy Greenberg, Twitter Hires Elite Apple Hacker Charlie Miller to Beef up Its Security Team, FORBES (Sept. 14, 2012, 10:05 AM), http://www.forbes.com/sites/ andygreenberg/2012/09/14/twitter-snags-elite-apple-hacker-charlie-miller-to-beef-up-its- security-team. 5 See Andy Greenberg, How to Hijack ‘Every iPhone in the World’, FORBES (July 28, 2009, 5:40 PM), http:www.forbes.com20090728hackers-iphone-apple-technology- security-hackers.html. 6 See Kelly J. Higgins, Apple ‘Ban’ Gives Miller Time to Hack Other Things, DARK READING (July 10, 2012), http://www.darkreading.com/end-user/apple-ban-gives-miller- time-to-hack-othe/240003490. 384 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. [Vol. 24:381 to, how would he go about crashing the Internet and taking control of protected systems?7 In the scenario that he imagined, former North Korean leader Kim Jong-Il had kidnapped and induced him to “hack the planet”—to control as many protected systems and Internet hosts as possible so as to dominate cyberspace. Miller then catalogued all of the steps that would be required to meet this audacious goal. He would need people—roughly 600 working throughout the world, and a way to communicate with them.8 The trick would be identifying them—a task made easier if Miller or another expert in the field was a willing co-conspirator with a North Korean intelligence agency like the Cabinet General Intelligence Bureau.9 Assuming that he could gather the necessary talent, Table 3.1 describes how Miller would divide tasks among his “army.” Table 3.1: Charlie Miller’s Hypothetical Cyber Army10 Job Title Brief Job Approximate Total Cost Description Number of (in millions) Hackers Required Vulnerability Find bugs in 20 $2.9 analyst code: need to be world- class programmers Exploit Research and 70 $7.3 developers exploit vulnerabilities across a range of platforms 7 See Miller, supra note 3. 8 See id. 9 See North Korean Intelligence Agencies, FAS, https://www.fas.org/irp/world/dprk/ index.html (last visited June 12, 2013). 10 See Miller,