CG - Baby Got Hack Back - Jen Ellis
Show transcript [en]
so I'm Janice I'm rapid7 and I sort of focus on how do we work as a community to find collaborative solutions to security mean and good morning my name is Leonard Bailey I'm special counsel for national security at the computer crime in Illinois section at the US Department of Justice first things I think - thanks to Jen for inviting me to participate with her and thanks for besides for accepting this this presentation why always gonna make me look bad you start thinking people I haven't thanked anyone I'd like to thank Patrick who speak Leyland a couple things quickly about my office I'm one day I went in to make sure I announced was this morning just a couple hours ago we
were loose released a vulnerability disclosure framework we've been working with the security researcher community on issues that relate to the CFAA and concerns about that statute and doing research we set out to create a document that would help companies that were looking to create a formal formal voluntary disclosure program do so in a way that was clear and avoided some of the CFA authorization questions that sometimes arise so if you go to DOJ cyber security unit you will find various documents we posted there among them is this vulnerability disclosure framework so there's that and with that we're gonna hop into our present yeah I'm not gonna pitch something the rapid seventh unreason because I'm a
professional okay so just a quick disclaimer because select actually apparently is not affiliated with this talk in any way so we'll let you read it okay and and and and very quickly just to kind of give you a bit of a lay of the land how many people saw as our talk on CFA last year p5 who it's a completely fresh room that's amazing I love that that explains a lot I was like should we be upset that nobody came back we should be surprised this is the obligatory road map slide that you have what one of these you're trying to do with its talk in general is to just make sure everyone before we get to the fun
part which will be sort of a debate discussion about the merits of a pack pack and there's no active defense let's do some level setting so Jen suggests we actually have sir mix-a-lot to help us a lot through this talk I I don't know if it's guy if I call mister a lot or what but you're going to be helping us Stratus you could have set off thank you so just to make sure we have sort of an agreement on what we're talking about we'll talk about what hack back is what it means this Gus has been about the laws that apply to it discuss some scenarios in which it does and does not apply and then we'll get to sort of the
controversy around whether it's a reasonable cyber security measure to to adopt in use so before we get started we should probably address the all-important question of what the hell we're talking about and there are lots of different terms and uses language and it's all very confusing I'm not gonna say what's on that slide because I will sound like a muppet uh-huh but there's a lot of different things that people talk about and what it's like back and then there's all of these different terms of ours that are coming up and they all mean something a little bit different and some of them are super militaristic and some of the very defense oriented what we're going
to talk about today we're defining so basically what they come in at is a huge range of activities that go from like things that you do that are really all about defense that are in your network all the way through to things that are gonna go out onto the Internet and cause all sorts of problems for other people and we're gonna talk a little bit about like what the legality is around the range of things but the way that we are defining hack back for the purposes of this talk
thanks to mix-a-lot please keep moving alright so the way that we're defining here is three things it's private-sector action its action that is taken in response to action taken against you so at attack against you and it is actually the taken outside of technological assets that you own control the lease so let me jump in here just to add a few things so it you know on this spectrum from the sort of relatively passive activities that may be monitoring your network ids/ips type of activities maybe insider threat and monitoring you know I'm talking to companies we've heard them use a variety of different capabilities that that go beyond that and start doing things like touching other people's networks for
different reasons so for example people who want to be able to trace their data they may implant something on their data in their network but you know kind of logic bomb fashion and it's taking outside the network when certain conditions are met it will do something on something unexpected in something that the owner of an network did not necessarily designer or you know taking a step beyond that if what you're doing is trying to track data that has been taken from you you may want to secure that data on this remote network people describe this is sort of erasing your data or retrieving your data which I think it's kind of a misnomer in part
because in most intrusions you still have your data the problem is that someone else has it as well so it often comes down to something like encrypting data on some remote network that you are trying to secure and keep from and restrain from being transferred and then you get to sort of the damaging conduct and when I say damaging the recent ways some coefficient works is there is a specific definition of damaging that we'll get to in law under the Computer Fraud and Abuse Act but you know there has been in the policy sphere some discussion about what is damage for example you know post Mirai they were discussions about a good worm right a
worm that would go out and repair networks now even though it is doing so arguably in the interests of good that type of altering the settings without the permission of the system owner or device owner would be considered damaged under the CFAA so there are lots of reasons that people stay for why hack back should be authorized and we'll get into this a little bit more when we do our a panel later from the first is like the very fundamental thing if I want to be able to stop at the stop an attack that's happening right now it's a pretty straightforward self explanatory statement and I'm sure in the debate we'll talk about whether it's valid the
the next one is all I mean it's sort of thinking that but making it more preemptive right so it's all about trying to increase the cost of attack and trying to make it so that that you're a less attractive target to attackers so one the y'all here alive is self defense or self help now this kind of borrows from the normal world of criminal law in the physical world where you have for example assault someone says I get to defend myself against an assault and even if you're outside the world of a physical assault there's a question of sort of property based help so where you have a repo man a repo man may go and retrieve data that I mean a
property that someone has no longer been paying for and that retrieval of that property can be considered self help up there some statutes there are various legal frameworks up from it bad regulatory schemes but that you know can be considered the self help that people analogize to what happens when you go out and retrieve your data from a network this is my favorite one obviously I recently had the unpleasant experience of being hacked which is super I love it my name is Jed and I've been hacked and and I can tell you that now I have a local sympathy with this particular argument because I was angry and I wanted to be able to do something about
it and take back control and feel empowered again and and so I think it's it's an understandable emotional reaction augmenting law enforcement now I mean that's be I reported last year that there's something like 4,000 grants more attacks a day so obviously law enforcement is not going to be able to keep up with that pace it's not going to investigate every instant the argument is that why not have civilian capabilities augment what law enforcement you know cannot get to perhaps by helping with attribution or other things that would even advance law enforcement interests itself so so what are the laws that apply to hack back and this is gonna be unfortunately a good lawyer part of now generally this
Computer Fraud and Abuse Act which is defending statute is typically the one that you know the statute that people turn to and immediately I think about now for for purposes of our talk even though look if your fraud abuse actually is nine different offenses in one we're gonna really focus on on three particular crimes under the statute the first being until the authorizing are accessing a computer without authorization or in excess of authorization this is a violation of 18 USC 1030 a 2 so this the grameen of this offense really is the accessing to another computer without authorization there's also offense that involves knowingly causing the transmission of program code information that causes damage so this is in some ways an
inchoate crime this occurs before even the damage has occurred if you have just transmitted it so if there for example were a worm that were unleashed even before it caused damage we might be able to move under this particular statute then lastly the classic causing damage to a computer has to be damaged though without authorization so every day you go to work you are computer you erase words in a document that technically in law would be damaging the computer but you're doing with authorization you are doing it as an employee of a company or something of that sort so that's that's not that's not an action this is damage without authorization now if you look at least three different
offenses though there is one common thread and they all really turn on this issue of authorization and that becomes an important element of this discussion about hacked back and explain why in a moment oh thank you sir mix-a-lot I almost forgot to mention so we talked about Self Help a moment ago and this is something that people often you know ask why is there some some exception under the law that allows me to to do something to help myself well as the CFA's draft no there is no exception that specifically allows someone to engage in self-help there is a provision that carves the government out from the statute and violation of the statute for military law enforcement or intelligence
functions done for a protective intelligence or law enforcement purpose now many of you may be thinking you guys have gotten hacking stuff all day then right the truth is it's a marginal utility because the Fourth Amendment still applies so most of the time any of those activities is going to trigger a need for us to get a warrant or to satisfy the requirements of the Fourth Amendment and so the fact that there is an exception to the statute can be helpful but by and large it's not something that we can use as an authorization to just go and act without other Authority now under the law this the scope of CFA is it's quite broad it
includes a computer that is located outside of the United States and so it has some extraterritorial jurisdiction what might that mean it might mean that if you are on the East Coast and you get hacked and you strike back about against someone using a really old computer on the west coast and it turns out that that's actually being used in attack by someone from makes ensign which everybody knows is a Kree the hotbed of cybercrime and also by the way are one of only two TT countries in the world you can you can google what that means just to the side you know then you would be breaking the law not only in the US but what you'll be
breaking on the yes but not only because you're targeting the incredibly old machine on the west coast but also because you end up going to Liechtenstein so it doesn't really even matter what the laws of Liechtenstein say in the US that is all illegal there you go so I was meant to say something that about like so this is all we need to worry about it was the FAA and something slow got ahead of me sorry tends to be the the statute that people kind of are concerned most about one of the things that I like to make sure that people are aware of is when people talk about the cyber kill chain right and one of the first stages of the
cyber security is reconnaissance what people lose in that discussion is that the Conesus itself is activity that may be governed under federal law and that would be under the electronic surveillance statutes so it's not just the CFAA but that may be of concern there are just a couple of statutes that also may be of concern starting with the wiretap Act that may surprise you but the wiretap Act is a general prohibition applies to everyone government and no civilians that prohibits the interception of electronic wire or oral communications now the focus of the statute is the content of communications basically it's defined as substance purport or meaning of a communication if you are intercepting that you are
potentially violating the wiretap Act now you may ask well it doesn't happen every day email providers intercepted communications well there are exceptions in the statute that apply to such services that cover those types of applications there would not be for for example someone who was loading a sniffer into some sort of of file and had that taken in then that absorbed the return of of communications like a password now separate from that which is about the content of communications there's something called a pen register and trap-and-trace statute now it's much like in many ways the wiretap statute except the focus of this statute is not the content of communications rather it's a prohibition on essentially using
or installing a device that captures reports or decodes dialing routing addressing or signaling information what does that essentially mean the shorthand is if you are using some sort of technique that is capturing non content information you may be dealing with a pen register to have a trace issue and for example when we do something like we let's say go up on an email account and attempt to grab an IP address for people logging in we would go and get a pen trap order that would allow us to do that now one other thing that goes with the vendors of traffic trade statute and the wiretap statute is both of them have exceptions that are for example consent so consent becomes
an important way of complying with these statutes and so there's a way out there is not merely getting an order there is making sure that you comply walk through making sure your programs and your activity a structure a certain way so yeah so solo just talks through the federal laws but there are also 50 state-level cybercrime laws that would also make hack back illegal and then obviously there's international law there is to the best of my knowledge there's no country where this is officially legal there may be countries where we believe that it's sanctioned but there are no countries to the best of my knowledge where it's officially legal and there are some countries that might be
thinking about was rising it on an official level at the moment and so like this debate around what the implications could be and the impact internationally is incredibly relevant right now because you know these countries are thinking about doing this stuff right now and it will have a huge impact on on the Internet as a whole and on the US so how did you like the laws apply to actual hack back scenarios all right so this is your network probably your network has more than three computers but this is your network for the purposes of this and you have defenses set up around your network you have the usual range of defenses firewalls and all that good stuff and all of that's
fine that's fine and then you have some other things that you do that are part of active defense so some of it might be about detection or about filtering traffic some of it might be about you you can you know and you can do things like you could have honey pots and you can have decoys and although that's fine as long as it's in your network now one of the things we discuss that makes it okay in your network is within your network you have a capability of getting authorization or consent right so in your workplace that's why you have your log on banners that's why you have your workplace policies that's why you have
all the things that allow the employer who owns the network to be able to say hey I got authorization of the consent of these user to do this monitoring activity or to intercept these sort of communications now that's inside your network and that's a good dividing line in talking about hack back and any other cyber defense activities once you get outside the network it's a little different right you don't have the same means of getting authorization or consent from these other parties so you're not in commercial privity with who you know never have contact with and in fact in some cases they're the person who broke into your network so you're not to be asking them for consent or authorization
to monitor what they're doing so there you've got the issue there's a pretty clean dividing line between inside the network and outside just based on your legal ability to obtain the sort of consent than other you know permissions that make this okay under the law so that makes kind of hard to square with the law as it exists now so let's talk about some specific scenarios tracing or securing data now one of the things that we hear but one of the first ones that you know I remember hearing about in this area was hey what about the electronic dye pack we can do that or plant some sort of web bug or something that allow us to trace
back our data to a network and then take some other action now what may be implicated there and this goes back to our discussion of electronic surveillance statutes is if for example what you're doing is you're sending a packet back to your network so that you could retrieve an IP address that identifies the server that hoping that well there's at least a question about whether the pin trap statute applies in that scenario if we were doing that for a law enforcement purpose we would have to deal with that in some sense possibly getting a pin track order from the court similarly let's say once you've located your data you've got you encrypted now you may think that's a reasonable thing
to do with it let's say you were right and it is your data and you're encrypting it but there are two issues at least one is do you have to access another network in order to effectuate that encryption which means that you may be dealing with unauthorized access to protect a computer in addition and this is kind of more academic but it's least an issue in rendering at least part of someone's the own network unavailable to that owner are you doing damage to that network novel issue no court has talked about it but there is at least some argument that that may fall into the strict definition of what damages under the CFAA
okay so when it comes to imposing costs it's the same thing right like it's exactly the same thing you can't you can't effect damage on anything outside of your control if you want to tear down the world inside your network that's fine but when it comes to going outside it planting anything like malware or anything like that that is going to make the idea of attacking you considerably less palatable is going to be incredibly against the law and that includes decoy ducks because you it's fine if you're doing for me in your network and I like to call this slide ducks given anyway it's fine if it's inside your network for you to use deceptive technologies and we used to
set two technologies which I probably should have said what we do and and that's totally fine what you can't do is have something that like is going to create a sort of monitoring action so if you have something that will go out of your network and will then report back in some way that's where you get into trouble because as letter described discussed that surveillance basically and for that beautiful fowl of the sort of statute but if all you're doing is putting out false information I thought you're doing you put out whatever reason you're trying to again impose costs by having your adversary waste time processing information that you don't intend to use that's not going to be a
violation of the CFAA you have not access or know that they have taken it refuted brought it for their own network you don't have to effectuate any sort of you know send any command in order to get that done so you know that's an example of something that might happen that may have come to us outside your network that would not be for example a violation of now in December of 2015 we had a new law sisse now it's the cybersecurity information sharing act it simply did three things one it provided new affirmative authority to monitor information or an information system notwithstanding any other provision of law why is that important well notwithstanding any other provision of
law is sort of the tactical nuclear strike of legal language it means it overrides any other law including the wiretap Act so if you are monitoring your network for what is defined as a cybersecurity purpose you may do so without fear of violating any laws the second thing that disability not standing a division of law again to apply what are called defensive measures to information or an information system again for a cybersecurity purpose we're gonna come back to the second lap the third thing was information sharing Authority it authorized you to share of ciphered information and defensive measures again for a cybersecurity purpose that's less relevant to our discussion today very relevant to computer security research which we
should presentation on some other time but um on the defensive measures provision here's what's important about that so when Congress created this defensive measures of authorization there was concerned including from the Department of Justice that what it would do was create a backdoor hole in the CFAA that said it's not a violation of the CFA to do something for a cybersecurity purpose that included breaking into a network or damaging Network and we thought that that was not without further banding a good idea Congress seemed to agree and in fact it intentionally drafted the provision to carve out hack back at it now how do we know that well we know that because in the only thing we have that sort of
legislative history of that act the joint explanatory statement that was issued by the House and the Senate on this bill they specifically said it significant the authorization for defensive measures does not include activities they're generally considered offensive in nature such as an authorized access of and again specifically it carves out hack back activities so whatever they intended under this new authorization it did not include
now the way this was effectuated was in defining where the defensive measure was they carved out activity that destroys rendered unusable or substantially harms information or information system and they carved out anything that provided unauthorized access to information point information system ask myself this question every day yeah so as I mentioned there is monitoring authority so if for example you have some honeypot out in the world and you have it in the sky so it's not you don't want to look at part of your system well as long as you actually are the operator of it sisse authorizes you to can monitor it know as much as you want as long as it's for a cybersecurity purpose
now you may ask well woman can I monitor network of the guys breaking into me my network and the answer that is no for this reason along with that Congress said yes you may monitor a third party's network but only with the authorization and written consent of that third party so that's not gonna help you with an adversary right but it would help you with your own honeypot so yes it's not you have a cyber security purpose you can do a lot and I would put that another way or I think he wouldn't say he likes big pots and he cannot like try the steak yes so um how about some high bang legislation getting serious a
little bit so there has been a proposal in the US this year it's been introduced twice by Tom graves and it is called the active cyber defense certainty act a CDC and it looks to create an exemption under the Fiat really so there it is I don't know anyway so um oh my god it's so know what this okay Soho what a difference is it looks to create an exemption under the CFAA for as the slide says attributed attributional attributional activities oh my god that was a lot to say and and so like it really it focuses on the piece around trying to figure out who is doing the attack and what they're off there and all that kind of stuff so it's
it's really about like sending information back and that kind of thing what it doesn't do is it doesn't sorry I can't see the slides changing very well what it doesn't do is anything beyond that so I would urge you to go and read it it's two and a half pages it will take you three minutes to read and for something in this complex well something as complex as hack back that is a little crazy in my opinion because what it doesn't do at all is address any of the like very serious challenges that exist which we're going to discuss at length in the next portion of the talk it doesn't it doesn't answer them it
doesn't give any proposal for how you would make hat back work in reality in a pragmatic way all it really does is do this sort of combats the CFAA doesn't he doesn't even address the the surveillance statutes issue it just sort of has this carve out to the CFA around the idea of attribution and let me say it formally the department justice in a position on the ACDC but but I mean we've had some contact with folks on the hill who have drafted it and you know one we do a problem for trying because with all this question of hack back and creating authority no one has really tried to get that in writing I think one thing we've seen and I think
that they appreciate it exactly how hard it is and how hard it is to get right there's so many different interests and issues that attach to it so I like policy debates policy debates
yeah we should do something rest of the talk about moving into this I want to say all joking aside you should go and look at Bonner ability disclosure what is the word you're using for framework I would urge you to go and look at that on on the interwebs sure well I if you actually if you just did a web search it's not showing up really yes it is on the first page of if you if you go to the DOJ csepp CC IPS which is if you're an intellectual property second CC IPS DOJ webpage there is a heading for white papers and under white papers there's a heading for home disclosure and you should find it there
and braavos people we've already gone unlooked well done alright so without further ado we're gonna invite our panelists up and one of them to bring a chair but hopefully otherwise we were a little stuck and can we also ask for the
projector that's what I was
oh I don't know that the pony has that much to say honestly he seems like the strong silent type to me so just for anyone who's wondering Lenin my very reasonably asked for pink ponies that we could write in on for our talk this elusive faded book sir mix-a-lot to sing us in which I thought was a completely reasonable ask and so there's a pink pony feel that in fact there because he was not he was not willing to bend on the color and I have a purple one you can look after him he's mine is napping I think let it shot him earlier which is a little awkward alright so the writing part is missing I
wrote in on mine just cuz you didn't see it it doesn't even happen alright so I'm gonna ask you guys to introduce yourselves Tommy Judas Todd is off okay oh hello other Dobby ah tremor that's my name and I work for MongoDB now I'm probably better known for flying penguin there's a company or in for years I guess I should mention in 2012 I did a lot of active defense work and started a company to actually get a court case heard on this topic and I can say that we were failure because no one actually heard the case we never got went into public eye but that was the focus of my work for a number of years and then also
I focused on a cloud and big data security for a long time back to nineteen 1999 so when they talk about these perimeters I instantly think that's just [ __ ] Nathaniel I sure I'm head of cyber security strategy at a loomio which is a datacenter in cloud security company before that I was at the National Unity Council at the White House and before that I worked with Leonard at DOJ so computer science and legal background which means I never know whether to put on a hoodie or wear a suit and I kind of end up strangely in between hi I'm Rob Graham I've created a number of stuff back in 1998 I created black
ice was the first IPs there's also a desktop firewall it had a number of actual hack back features you know it would go back and scan you or it would manipulate traffic in fun ways to frustrate the attacker and it and over the years that black ice was bought by ISS and then by IBM and IBM sort of just canceled the the product but if you scan the internet you'll see occasionally net biased node status queries from on high from coming from high ports three of them in a row and that's actually black guys coming back and scanning you saying why are you scanning me so it's still out there and active in various places
in the world for whatever reason and I do a bunch of other stuff like basking in site jacking and other stuff and you already know we're not gonna reintroduce ourselves um okay so I'm gonna I'm gonna start off by asking since I know you guys never agree with you and anything how you feel about the definition of hack factor that we're using and do you feel like before we get into talking about why I should or should not happen yeah it's a perfect definition I think the most important part is that it says when you are touching computers that you know only or for whatever reason they're not your systems I think that's the critical part versus other active
defensive techniques when you're touching your own systems I guess I would disagree because I mean my background before computers was in the intervention ethics arena I study history for a long time and so that sort of gray area always exists in concepts of ownership and since I worked in cloud for so long a virtualization and shared environments it's not clear to me when authorization really has been granted officially versus you're on somebody else's machine that they've allowed you to be on parents are a good example of this they haven't authorized you per se but you just know you're a child there so you can get on and do stuff cloud is that to the nines one thing that I would
add it's a it's a good definition but it does cover a wide range of specific elements and I think for hack back discussions in particular the devil is really in the details so you have beginning in that def and then you have targeted destruction of property in the definition and those both fall under it and make sense to talk about both of them but the trade-offs and the consequences with them are very different okay so why don't we get into some of that specifics how about tell me you give us some of your pace for why hack bike should be authorized and it should be okay and what kinds of well there are lots of
good I think there's an ethical angle to this which is and you mentioned a lot of it but is you know should you help somebody who's drowning or should you stand there and laugh at them take a video I think there a lot of cases where you know you can help and you go in without authorization being explicit but you have access so in that case they would thank you for coming in and saving them from worst harm by going after somebody who was hurting them that they didn't even see or they weren't home like taking over a house when somebody is invading it and those people are on vacation for example there's a lot of
cases where I've been asked for example to go in and and find out who's stealing things and then stop them from stealing it so in that sense I've been asked to get on to systems that are being used for thefts that are in shared environments that they don't own but I don't own and so I feel like there are a lot of cases where the ethics would be on the side of the person trying to do right so let me bring is one issue that I think comes up a lot in this debate I think most people when are thinking about what should be permissible as a hack back activity they put themselves in the in the shoes of the good guy I'm
going out to do something and then to repair something as opposed to let's say that third party Network owner so now you were the owner of that network who gets a call from someone who says no I just went in and changed your settings because well I they're gonna be better this way or the person who says you know I had some information on your network that was taken from me and dropped there I found it I erased it I had to look around make sure I got the right stuff but we're all good now don't worry about it I think from that vantage point it starts kind of teasing out why some of this on a policy level is is problematic
because you are we in a better situation where that is happening you know liberally or not I mean I think there's there's a you could debate that either way I kind of think we're not though yeah and a shared data center for example you can go in and you can find a lock that's been broken by someone else and fix the lock and you're not authorized to fix it in the data center this actually happened to me they try to get angry and try to arrest me but I'm like look it's better than it was before and this is a shared environment so I'm just doing it for my own purposes as well as for other people so what you're
saying Leonard is that there's a gray area that mal that bad people can use to say hey I'm I'm hacking back for good but they're actually do something for evils that work what you're saying actually no I I am I mean that could be the case but I'm actually more thinking of let's say you are entrusted with information or you are trying to secure your own network and someone has now altered it in a way that they claim is for for good or for their own interests but not against yours for example I someone had let's say I have an NTP server that's being used for reflection at 600 times they send me a request I
reflect it back 600 times more at fruit being used for DDoS so if someone comes in hacks my computer and turns it off or we configures it to no longer do reflection I'm not happy because no performing as I want but obviously I've been harming people more than whatever so they were they had a good intent I'm not happy with it potentially maybe I am happy with it but either way they had good intent and it stopped that that DDoS attack okay well what about let me give you another example which rips off what Leonard was talking about which is you someone's using you to store stolen data they've translated through your system their stories don't date on that
system and the person whose data was stolen comes into your system finds it and deletes it then they tell you and they say I had to look around a little bit like Leonard was saying and it turns out you have a bunch of sensitive data on that system that you really care about totally unrelated from the fact that it would have been compromised and was being used how do you feel or how concerned are you about the fact that this other person was in your system mucking around Sirsa oh I don't need that I don't need that this is mine I'm gonna get rid of it and maybe they did exactly what they said and they didn't
look at anything else maybe they only removed their own data but now from your perspective there were two people in yours doing stuff and you don't know what they were doing now you have to try to figure it yeah you know you know what if that was a lawyer's computer and someone said I accessed your computer and they've got files run illegal cases now they've got a duty to go to the court and say hey someone may have read all the files of my computer whether or not they did or not and that would be a terrible thing on the other hand this brings up the question of culpability of the third party system whether it's a
DDoS reflector or some of the stashing stolen files is there helping commit crime
[Music]
that's why they mentioned the good worm for the more I work people made a worm that would be the good worm that went and patch along the right systems of a part of the seven of the etherium - right they winning they tried to stop the the coins from being stolen by packing in and changing the code it just sounds like antivirus to be honestly when you describe this it's have you authorized it to the extent its operating maybe but it's going and changing things for your own good this is next-gen antivirus fear well pretty much in the Nvidia matter when you look at the details what they did the good guys so that guys are stolen like 30
million dollars worth of tokens dude guys noticed this and white install the rest of the 208 million dollar tokens that were using that same code without authorization without mine well yeah but did he access computer by the way anyway and then until he stole the money they stole all the tokens there then they belong to the hackers and then the hackers went to return them all that those tokens back the original owners but was a new contract that didn't have that bug so they stole two hundred million dollars worth of money well quarantine and I think one of the one of the one of the challenges in having this discussion is is pinning down exactly
the scenario you're talking about so you know absolutely there are definitely examples that are are you know I dog you fringe cases that are important and you have to figure out how to figure it fit into a policy framework there are some others that are kind of in that realm that raise other questions only pivot to one issue which is and one of the reasons why the department has been critical of hack back is not just that's illegal we're just not sure it's good policy and it might be bad policy for a variety of reasons but when we talk to people about things like hey I think I want to be able to go and retrieve my
data we keep coming back to the question is is effective right if if these are effective means of dealing with a problem we really have to look at it and figure out whether these are changes that should be made in the law so that they can be done you know more more liberally more broadly with something like retrieving your data for example I mean the problem we run into when talking to people and trying to trace how that would work is one people are saying well if I see it leaving my network well let's stop there we know that different numbers but anywhere between 60 and 200 days is how long it takes is about 12 time for
intruders so it's possible you're watching in real time someone take your data but it's more likely you're discovering it long after the fact when it's already traveled and it's already somewhere where it's traveled again and again and again then let's say you though did see that you would there you saw travel well to do something you'd have to get be able to access the remote network how is it you have access to the remote network either you don't or you're now breaking into the remote network again taking to the question of are we in a better place if basically to retrieve your data you're breaking into other networks to to get it and then you come to the
question and we just talked about which is whether you would be rooting around in someone's network which in our mind we think of the CFA as kind of a privacy statute and as well as kind of a property statute and if you are going to be kind of running through other people's networks you are compromised eventually the information that's there so one of the issues I run into is this is really gray area and that's where I like to live and there's no hard-edged way to describe like somebody hasn't authorized you can change quickly if you send them something which they click on which authorizes you and then they've said yes without realizing so have you
deceived them or have you presented in a way that they're just willing to go along with and I feel like in order to write policy we have to have a robust debate but part of the problem is and why we tried to start this company was there's a lot of this going on it's happening and we can't talk about it because every time I get on the subject and say it's pretty good and it works people say do you like being arrested on stage because that's what happens if you talk about how good it is and what you're doing so I think we were hearing from people who were opposed much more often than those
doing it who see no advantage to really bringing it up and talking about it you're saying that you like a brave plan and I'm not doing it so it makes it easy for me to talk about it but others are you're taking notes right so just a quick note on on questions we we're gonna like let the conversation run and then if we have time at the end we'll we'll stop and take questions okay just wanted to let people know so on Leonard's point about how many laid leave you the policy question it it depends upon what samples you're using to look at this because one one way to look at halfback is okay I have a packet
denied by the firewall so I'm and then launching huge DDoS against to determine - it gets the source in order to deter the hacker did we all know is a hugely stupid idea because that's a spoof packet than all likelihood and your doubt DDoS a innocent victims so I've chosen there an example back back that's a very bad policy versus I proposed with the cerium or the the good Murray worm of things that people do that obviously have benefits there's so much we can do it's not botnets to stop whereas somewhere to stop viruses to stop the u.s. if we had the gloves taken off in the world I've to actually address that and go after the perpetrators of these
things and we do occasionally but it's illegal yeah at that point I find also with mules we tend to arrests if you know mules are people that are doing things on behalf of someone else it's stupid in the sense that you're going after the person who's attacking you and that's not really the source but that's kind of like arresting all the Mules and not getting to the mob boss and so we do that to a large extent and it seems okay but we sort of frown on people going after the Mules on it in the logical rule so I think it's important to disaggregate so you guys had earlier a slide about goals and thinking about
what we're doing why we're doing it is really important because we're talking about two different types of hack back here right one is I'm a company I or an individual I've been targeted some we did something bad to me and I'm trying to either make them stop right so it's a one-to-one ratio in some sense right it's a retail response and the second if talking about the etherium and sort of the Mirai response this is much more there's a big industry-wide problem or community-wide problem and I'm trying to provide a service to help solve it it's much more about making everyone safer as opposed to making that guy stop doing that and they're very different
interactions and the cost and consequences of the two of them are very different and if you think for each of them what we're really asking is there is a sum total of say $100 of security investment that an individual organization can make or a community can make as a whole and for every dollar that gets invested in offensive responses in hack back that is a dollar that does not get invested in other types of responses and so the question that we would be asking in these two very different frames is is moving or moving those dollars a good idea is it better to spend $80 on defense and $20 on act back or fifty and fifty or
not and in each of those environments the answer is very different is what I would argue and I think by conflating them we sort of end up in exactly the problem that you're mentioning which is we have different examples and it's easy to pick an example and then talk a little bit past the trade-offs and consequences so so let's do it let's let's break them apart like let's look at Rob's example of things like Mariah and stop there and then well we'll address Evelyn so what are the what are the arguments against taking action in those kinds of situations well in the good Worman case Mirai it damaged a lot of the camera so the cameras no longer
functions please they know they did they're their primary purpose but they stop doing the evil thing I was spreading the word we do a DDoS seems like a pretty strong argument against doing things well no potentially like for example we were most of us some Americans we're in America right now and no and but most of the moriah botnet was outside of America I was in Vietnam Youth Grange it was all over the place not he died state Americans they're not Americans one thing is domestic policy is different the foreign policy domestic policy might say hey know when I could damage the cameras foreign policy is a yes definitely less damage those cameras and and cause countries like Vietnam
like take control of networks and stop flooding lots of traffic so a foreign policy might have a very oh yeah the rope well would and that's a choice that one would expect a government to me right in the hack back we were narrowed to private actors here which is an interesting constraints we're imagining individuals or companies making a decision that directly impact the foreign policy choice or people that left the government work in private companies so I actually don't think I think the problem here isn't so much intent I think the problem is consequences and result because you can you can engage in off network hacking with very good intent and have very bad consequences and you can engage in off
network hacking with very bad intent and have very bad consequences it depends on the company the result and to your point Jen I think one of the challenges in the more icon text is or any of these when you're trying to solve a community-wide problem it's an incredibly complex problem and you're gonna be touching many many many many many many systems which means there are many many many variables and it's hard to get predictive or reliable results which is what happened in this context yeah and I will I'll just on the attempt wing I don't think person anything we're dancing around it we had a slide on it I think I think the issue is that we're
taking as read the intent is good in the discussion but that doesn't change the fact that outcome can be bad I can I'm sorry I asked you can't dress that just just be clear I mean and this may be a criticism of law but the violation under for example CFA accessing the computer or without accesses that you knowingly access the system it's not that you knowingly access to break it is that you knowingly access it and so that violation is completed if you knowingly do that under the damage provision if you intentionally access that and cause damage that's the standard and so actually the the law does take that into account it may not accommodate this circumstance
where people would say hey we're doing it for entirely great awesome reasons but it does under the law have a requirement that you take action with a certain intense built-in towards you intentionally access assistant without authorization right that's what the law says it says nothing about whether it's for good or bad purposes whether your intent is to be a good person or a bad person so if you know you're not authorized but if you think you are authorized then say is it that doesn't work either because then they'll come back and question is like well what a reasonable person have thought that they were authorized and do you think you're authorized but a real person in general would not think that
then you're guilty of intending you have which is problem for us because Vietnam or not the average person and we have a definition of intent but we think well authorization is you know RFC 2663 offer ization code and because it said authorize i'm authorized and so what I think one of the problems you're facing here which I think absolutely right is that no by-and-large statutes are written in the main to deal with people in the main when you're dealing with actually what researchers do and these sort of good uses of you're talking about fringe cases by and large and you look at the cases are brought in CFA it's what you would expect it's Carter's
it's people who you know sysadmin it was mad and broke the system it's it's stuff that actually is without question you know what we consider illegal conduct in these is harder because you know there are there are mitigating circumstances the law is not always well crafted to address those and one could say well when you draft it that way unfortunately it's akin to saying why don't you draw a perfect code and the response in part is well because someone may take it and repurpose it and use it in a way that in 10 bingo that someone may take the law that was drafted to deal with the Carter and then use it in a way that you know
was not intended to maybe apply in that circumstance it still applies them all right just what one booster for the CFA the only one in the room will speak up for it don't give me an example where it's sold you know it didn't happen recently but let's say that you're on a contractor Network which isn't yours but it is someone you have a relationship with an are authorized to do things on and you go and you take their hard drive out of their laptop but before you take it you come in and say I'm working for the helpdesk and I'm here to fix your machine I hear you've had problems and everyone always has problems with your
laptop so they're always happy to see someone come fix them so they say go ahead here on their system their network you take their hard drive you leave with it with another hard drive and you have the original now in air position that seems authorized is that you go put your pen chance or not I think CFA and an out of hide bag well not necessarily because this well I don't know if I can say it but it's basically that damage is more what I was getting at you know you're authorized in the sense that they thought you're gonna do something that you were authorized by someone else to do they're ok with it themselves you're
in an environment that theory you have some access to but not full authorization when you leave what is damage defined by in modern context cloud is even easier like is there any damage or in the case of the botnet variety did you really damage the camera or doesn't need a firmware update and it starts working again a lot of cameras are brick they either because it's not possible to repair them or it's not within the realm of the owner this doesn't know how to repair that I'm just curious about with that example how many people think that that's ok brick so most cameras attacking out the camera thing I'm sorry the camera thing breaking ok I'm just curious because
it's it's not anywhere wrong I mean it's interesting to figure out what the norms are around around this sort of thing I think that most people are very wary to let someone else figure out how to remedy a problem using their own property that is the way in which I mean letting them make letting someone else take control of your property and figure out what is the just disposition of that without any consultation or you know to you you know what's really interesting here is the intersection between that statement and the debate we're having and the debate over automatic automatic patching right because automatic patching is exactly that and there's this whole discourse obviously writing
the contest of security that you can't trust users to make all the right decisions not because they're bad or stupid but just because there are so many and the systems are so complex that we should be taking a decent amount of the choices away from the users and having it happen automatically so the question here isn't so much about that as how do you vet who gets to decide what does happen right who's choosing what the patch is in this sense right this is it's it's like a side-loaded patch it's sort of what we're talking about right well that's where we really socking infer information security is really bad at integrity and we're good at confidentiality and availability but
when you're pushing patches out there's a lot of questions about are you putting in a better patch that's not going to break the device have you really tested it properly so that's a real weak area just to go back to Levis question though if you know for a fact that the device that you're gonna brick is not the property of your attacker would that change your willingness to brick it would so show of hands who would still brick in that situation so if it's attacked can I get your name's leather needs later you got this camera out in Vietnam and it's flooding the traffic and there's nothing you can do about it your ISPs called you up and saying we're charging
you for this cost of traffic that's coming toward you toward you so you have to pay for that that traffic how do you stop it it's an issue of self defense that I want to stop it my only option is to brick it so what they're what you're saying what lemon would say I shouldn't be doing that is this that I knew the government is there to make these ethical questions to ask you decibel questions and you can't do it for yourself and that's a bad situation to be in because they're not going to help you he called Leonard and say hey you're called the FBI and say hey there's this machine attacking me and yes gastly but
we don't know who you are if you're a rock star or a corporate or corporation they'll kind of help you but if it's you or me they won't so the the self-defense argument that particularly the analog to the fact that you know there is there is the permission to defend yourself in the physical world is one that we hear pretty often what is the what is the argument around that when it relates to hack back my response to it Oh me sorry hi we're doing a thing right oh I was busy trying to fix Rob's problem I think about in terms of again I said the mob the mules but if someone convinces someone else to harm you
let's say they pay the money bodyguard or someone else to punch you and you take defensive action and protect yourself against the person that was hired why isn't that self-defense and why isn't that ethical even though you're not getting at the source the person who really started the whole thing you're going after the person who's an immediate threat to you aren't you're just defending yourself from the threat so I think there are a couple answers too bad I guess from a policy level pulling the aperture back and saying okay so everyone now asserts this right to damage a third party and it's an unwitting third party's not as if they're attacking me but but they're but
their system isn't compromised they're unaware okay fine you'reyou're destroying their property how can we agree on that okay so you put it like this I'm sorry but they didn't have a role in that right so let's try to throw a punch at you unaware or not maybe they've been taken over there a zombie they're trying to get your brain if they're coming at you and you disable them if you disable them and you don't necessarily have to damage them but you maybe you break their legs but maybe you don't maybe you just have this is the question this is the issue that I think we are skirting we are actually skirting which is which is attribution right
though the one thing that I think makes us conversation very different than many others and this comes up with letters of marque and militias and things like that is people people familiar with letters of marque show of hands people were familiar with that can you give a one-sentence explanation for people
essentially the constitutional authority with a foundation to allow private parties to act essentially as agents of the government - in most senses that we know which has been used seize the property of pirates is how it's come up there are questions about whether this sort of theory applies to cyber that touches on a variety of questions including under our Constitution it seems to have been used in connection with war and not outside that that context also objects in that authority was actually used people tend to cherry-pick the facts it seems that for example people who were authorized under letters of marque as private actors were not allowed to board another ship they weren't allowed to enter the the prop of
the the waters of other countries to do this which makes it not a great arguably analog to what happens in this space unless you're gonna argue that cyberspace is you know the old gentle motion yes which some people have argued I think that's incorrect because actually everything that happens in cyberspace is actually happening on someone's computer hardware located someplace and we fix the way we apply the laws one sentence no I just use a lot Commons
if you have this level of confidence that yes the guy who threw a punch at you is the guy that you are punching just on the level of equity it feels different right so so two things I just say the first is if we're talking about self-defense it's also important to note that there's an escalation element to self-defense right if someone punches me I can't shoot them in the head there that's not acceptable self-defense proportion ability right fortune ality is a key component of self-defense in the physical context and so it would need to be here as well the other things that I was going to say is the first is note that we've shifted from the
question of how do we address community-wide problems to the question now I'm being attacked and I'm responding so there's a different set of trade-offs here yeah right and then I wanted to suggest that the attribution debate is a really hard debate right and there's a lot of reasons why it's good and it's better right even if let's even if you were to posit that you knew that the person you were going after is the guy who did it if attribution was 100 percent perfect I would argue that there is still an interesting question as to whether it's a good idea and it gets back to this idea of investing your hundred dollars right if you're a company or an
individual trying to protect yourself and you have a hundred dollars to invest well how do you distribute that and if we look at the history of security strategy and defense one of the things that's very clear is defenders are more effective in situations where they have control of the environment and understanding of the environment and in fact that's generally the only situation in which they're effective disagree okay um but what I would say is the farther away you are from an environment you control and I've you should hear your take on this the less effective you tend to be and if you look at security strategy you can see this everything from Klaus vets up to Boyd in the in the
last century and so what we are doing is we're taking dollars that we would be investing in a situation we where we are in theory in control on our network and we're moving them to a place where we are not in control of our network so somewhere where the odds are actually much worse for us that's not saying we're great at defense today there are a lot of things that show that we're not but it is suggesting as you're investing there's a lot more marginal return on the network where you have control there's a lot of unexplored potential to be better they're then going off of it and farther away let me add a less smart sounding way of
saying that we so we we actually had a roundtable with a variety of companies because we were interested in finding out what's actually happening out there in this space we we've read read the articles a lot of them we think may be academic and not really about the practices that companies are using and so we had a chat House Rules discussion with companies who we believe were pretty candy cuz they admit to some conduct that might have gotten them in an odd place but what they what they tended to say was things like you know if I have a client who's telling me that you know can you develop perhaps a a tool that will allow my files to auto
encrypt once they're outside my network and you know build that infrastructure our answer is yet you should invest in data loss prevention in lieu of us trying to develop something as complicated as that I mean the figures on patching and things of that sort and by the way this is said it's in my cybersecurity capacity as a prosecutor if you're a victim of a crime we we view as a victim and we will prosecute that and it's not your fault because the one that's broken law and broken your network on the cybersecurity policy on though there are questions about what is the way of tuning practices so that we have less insecure the and greater
reliability we built that in 2012 we built systems that when they wake up they figure out where they are if they're not where they're supposed to be they're encrypted and they don't decrypt they don't get a key so I wanted to address this argument of trade-offs which is very good argument if you do one thing it means you can't do another one and so why are you is like defense and definite kind of weak because you don't ever mean trade-off so whenever I remove security for my for my inside to put it on the outside so that's a good argument except he gets it wrong and that is that there's also decreasing marginal returns there's only so much
you can invest in your firewall before antivirus before antivirus becomes meaningless before the additional investments meaningless so just because you're trading off from one to another doesn't mean they're the same value of dollars I could take one dollar from my firewall that's really not running much value and put it into just the start of a hack back program that has a lot of value and they're different dollars they got a lot of value over here end up taking away very little value over here because the additional dollars of that it's more expensive firewall doesn't matter secondly there's the issue of a general hack back program of which is probably a bad idea because this is yeah it is constantly versus a
specific problem like if you know Russian hackers go in and get the coke formula the secret code formula yeah they didn't care about a lot of documents they care a lot about that document and finding it and erasing it from the internet it's like a ransomware is that most ransomware is not paid pay they just wiped the system result windows and go on with life and they'll ever keeper I think ripped into the documents except for that one system and that critical database encrypted which case will do anything they can or to decrypt that that one ransom or device pay whatever it takes because that data is critical for them so we're not talking about necessarily a whole
program but specific instances where a company might need I hate to say it but I agree to the rock but I'd give you a different spin that you can spend an inordinate amount of money and not understand your own environment and not know what to do and I've seen that and then we propose or we could take away the threat and it'll cost you a little bit of money and it'll not be a problem anymore and so that's been a decision and that's also true again with these boundaries that don't exist you may not understand your own environment but you can understand a cloud environment extremely well because it has a sort of predictability to it and if the
attackers in a cloud environment not only is it easier to understand but it's also easier to collaborate and eliminate the threat by going after them in that environment so I just say very quickly two things I'm always do things I think the COPE formula example is a really great one because if you can't stop the one instance of the Koch formula from leaving your network once the Russian intruders are no taking it and mirrored it in a bunch of places and probably pull the data out and convert it in a lot of ways you're gonna be in a much worse place to try to stop it once it's out there in a bunch of replications
across the network right so that's actually an interesting example of where I think it is actually much harder to do this when it's outside your control the other point I totally agree with you on the marginal return point but here's what I would say so there's the saying you know a a good offense is the best kind of defense and if you're sort of building a sports team you invest in your defense till they're very very good but you also need often so you need both but I would argue Leonard was talking about dwell time earlier 60 days to 200 days I've seen 45 days whatever the number is it's weeks or months and if we stop and think
about that for a minute it's weeks or months and we completely accept that right we sort of say that for the bottom line and let's look at where we could go elsewhere to get better marginal return we don't say how good is the standard of our defense right now and why is it that dwell time is still so incredibly high there's absolutely a point where you reach diminishing returns I would just argue that on the defensive side you're nowhere near that and there's a lot that we could do not by just buying more firewalls but by investing in new technologies and by changing the way we run security inside our networks to do the understanding and control better the
choices do we accept that we can't do that or do we think we could make it better and that's the fundamental question all right I would like to have a little time for audience questions so I'm gonna cut off that there is there's one question I want to ask first if we get billions sorry guys but the one question who knows what role can internet infrastructure providers play in this whole thing do they have a role to play many roles I mean they can be one of your best allies in providing I mean I talk to them all the time but they can try to provide a clean network which effectively means finding the threats and blocking them for you so
creating that predictability like I said a cloud provider essentially becomes the clean environment that blocks investigates the terrorist threats better than you could internal them to your own environment
thank all right so the gentleman at the back has had his hand up forever so stop that so regarding you stated earlier about legislation you know people not the government first one you said the can investigate every sniper craft because there are so many I'm a small company I got hit I'm going to go out of business I don't have any importance like to respond has to get what kind of legislation are you guys to help me somebody who is that's going to be investigated somebody who can't do anything because I don't have any recourse to fight back with I'm pretty confident you like I love this question I'm this answer but so one of the
reasons why I mean I've seen a development in the way the government is approaching this problem and that is I think even the last decade the government has come to the realization of exactly how complicated it is I don't think there's any agency right now that would say we are the answer and we will solve this certainly law enforcement wouldn't say that so if the question is like how are you going to better secure your network then you start looking to things like well that's why we are investing in information sharing authorities that's why you have FBI Secret Service M DHS attempting to push more information out that if we can't get to the threat actors on a you know
per actor basis we have to be better at hardening the targets on the front end and encouraging both practices and standards that will result in that hardening of systems so I know that on an individual basis that's not a great answer this does go back to the other question that I have which is as an individual you know business small business owner I do wonder what it is that you would do though that would be hacked back that would help with that incident what before Savannah period yes you are telling me I am one of the people that you are not going to be able to investigate and do something with okay I just said quickly add on the bat I mean
the reason why we have some like the internet complaint Center is they serve the purpose of bundling complaints so we can figure out where to put our resources against what our higher value threats and that's how we get to some of the actors even internationally that we've gotten to in the last several years we are prosecuting international actors at a pace that we hadn't before that and that that is because individual businesses are getting hit but it's not just because one business is getting hit it's because you know most actors work at scale and so there may be recourse for you unfortunately it may not be as responsive as I know they went after the
one guy who did this to me so your answer is as you have a complaint center that Whitney complains it may bundle up to going after one actress into getting a lot of businesses so you may get helped you may not you don't know from that's and that's and that's what you have that's in the long first we have today that's always have for the law enforcement way okay so this may be at going on the internet infrastructure side cloud providers so can we elaborate a little bit more about maybe what responsibilities we want to lobby for them to have and you know if my defense-in-depth when I'm trying to scan my own workloads there in the cloud
and they tell me that I'm packing back myself Azure problem anyway I mean yeah a great analogy for that is the mall like when you go inside the mall they're the provider basically all the services and you're just a shopfront sitting in the mall so can you have your own bodyguards and you know militia inside your shop or do you have to rely on the mall to provide those for you typically it's the mall has security and you don't and that's a service they provide so there's a lot of responsibility they have but at the same time we have a lot of cases where random armed people in the mall shoot someone who's robbing a store and that person is
hailed as a hero for stopping a worse crime so actually what answer to that question is is that they have a whole division that basically do hack back it's not you know illegal hack back to go to the government and get authority to do so like with that no IP thing well it took control over at the 19's provider in order to then stop all the the command control systems for all these different worms environment which wouldn't have been an issue if they've done it but they burned up and then screwed the whole company so they did a really bad job if they've done that well it would have been a good shining success right
so to your question so before we say the next question I'm just gonna we are just before 1225 which were scheduled to finish but there is nothing in this room till 1:00 so we can stay on a little bit for those who would like to continue asking questions I'm sorry anyone who wants to keep going for a little bit we can probably keep going for another 15 minutes or so if that's okay with you for yeah okay all right I think the next question yet I'd like to hear your opinions on we're the line for authorization false with something like JavaScript running in a web browser like you say it's not okay to send an
attacker a piece of information that will like try to find their IP address but if it's a web browser accessing your site you can send up JavaScript to do that it'll just run it and sent you back results you don't really have to hack anything and if that's not okay why is this okay for advertising companies to do this and this is going and for another example companies the detector running ad blocker software they know that you don't want to run an ad in your browser but they circumvent your ad blocker that's an excellent question I think it's we should have addressed it before you asked it but there is this issue of at what point am i crossing a
line with the JavaScript I send you if I do a buffer overflow in the JavaScript I've clearly cross frosted line but in terms of we all know but what would a reasonable person not affect attackee understand as where that line is and I don't think anyone knows I think it's up to you know talk to your lawyer and you learn learn will say they don't know and talk to the till to Leonard Leonard the buffer is you you would have to know that you're going to exceed the buffer for it to be rolling it's a lot of tricky stuff that advertises you know if everyone does all the time to try to get all your personal information using
cookies and stuff to track you and well what point is this cross the one of unauthorized access yeah so in hack back you definitely use beaconing you definitely leave Docs and people pick them up and they take them and it tells you their location and it does not seem to me that different from advertising or common commerce methods of figuring out who is accessing your site I so I guess I mean a couple of things one this question and I think it number the other ones that came up I think reflect one of the challenges in doing things in legislation so you can either draft a statute that tries to be very detailed does exactly what you can
do and in this technical environment where you know a pivot of the facts changes the analysis entirely that's pretty impractical on the other end you could draft a statute that is fairly vague that talks about no reasonable measures or things of that sort and the concern is that's that's simply not enough guidance from you to know what's what's right and this is this is the tension and push and pull specific I think to this area of law where you know you're trying to say exactly what am I allowed to do that's a fair question you know it does depend on you know a variety of things what is the interaction between client and server and what you know what is happening
there how do we define and think about that that exchange of information by and large I think we are driven by or incur one area by norms all right so you know I think the cases in which we have as a department I think gotten sideways with folks has been cases where people would assert that we are not applying the law consistent with what our norms of Technology and I think that's we're trying to be smarter or having folks who are tech-savvy we're applying the laws and understand how these sorts of technical issues work is is is is fairly important for what is a reasonable consistent application of the law so it and unfortunately though that does some
kind of come down to the kind of a fact-based analysis this always reminds me of people smoke pot that's kind of the norm but people try to criminalize it even though it is the norm now also I want to point out that the norm from web browsers is you have a URL on the top that we all edit but that the rest of the world doesn't so what's the norm I add the URL back to something in for us this yes that is the norm URLs population the norm is they never they never actually ever reach something that doesn't involve clicking on something or typing in something into a web form so there's this enormous based argument I
would say is it's crap because it divides the world we can't use its enormous those of us to create a demon internet have one set of norms and the visitor is the outsiders to the Internet have a difference have norm they come after us and arrest us but Rob the laws for everyone you know attention and the law got repealed in part because of the normative and legal conflict this is your point about how they but one thing that I would just say that I think is interesting is are you using the beginning example and it's we're having a discussion about hack back but I think again it's important to say it's hard to have that discussion because actually
hack back is a whole bunch of different things and the trade-off in consequence is they are really different I don't think someone would analogize the advertisers activity to target destruction of a computer right but we would analogize it to a beacon well but they're not destroying I'm just saying that within no but within the umbrella under the umbrella of hack back as we're discussing it as you move up this ratchet the trade-offs change a lot is my only point and so having a debate about beaconing and targeted destruction in the same conversation is hard because they're different issues availability different topics right if some of the microphone back there so I appreciate the focus on norms here because this is
the the issue that I wanted to bring up in the sort of municipal law of any individual state we can deal with that sort of on a criminal law basis but globally we don't have a set of norms that has developed through the sort of customary international law process at some point we start to either have to think about this from a conventional law standpoint or we have to go you know like the legality of use case we've got to go ask the court for an advisory opinion which I don't think anybody wants to do it's never been done since so what are the activities that are going on if any at this point to start
to develop some conventional notion of what is and is not allowed since clearly the process of developing customary international norms is not going to happen fast enough any of any use he said by zuri of opinions there's this guy at the DOJ named the Leonard Valen has been writing to document bow
like the doctor just did with the vulnerability disclosure it sets a norm now from the DOJ point of view of what is normal for a vulnerability disclosure so that if you go in and now advise a metal company that there's a flaw in their medical equipment they come after and try to get the DOJ to prosecute you for hacking their my equipment they've got documents now that says well you know it's kind of following this norm of vulnerability disclosure there's nothing abnormal and as well as other documents up there that says things like about like scanning the Internet is that in the norms or not well he says it is in the norm we can scan the internet so
that's fine within the sort of municipal law of the United States my question was really about the broader international law regime so I can actually say that there's a risk right now I mean I'm I'm from an academic background and I'm still not giving academic technically because I teach an international University I teach ethics of cyber in a foreign country and there is a danger that the norms are being defined by academics I'm seeing a lot of work being pushed out right now by people in the last six months about what the norms are and they say for example blows my mind that there is no deterrence packback has no deterrent effect cyber has no deterrent effect and
they're trying to create the sort of definition or a sense of normal things which to me are flat false like not only have we used it as a deterrent but it still works as a deterrent we're trying to talk about it as a way to deter people from doing things so it's a great question there are people talking at the United Nations level there are people talking at an EU level so there's a lot of it going on and it works both ways we're trying to define the norms and I hope from a practical hands-on experience level not just from a ivory tower level of what we'd like them to be but it also works the other way that
we're able to start a company that does hack back in things because there's difference and there's gray area between people's definitions in some place it might be still authorized so we can fight for that just the way the states in the u.s. work as well some states have different ideas and one point that will also not make you happy is that I think people forget how new all of this is so if you pin I mean I personally think about the internet is for our purposes purpose a we care about you know somewhere on 1995-96 where you had SSL and you know in browsers and people start using it free Commerce which changed the face of Internet my
opinion but if you if you pit from then you look at other types of activities that we have global norms about law of armed conflict we've been at war for many many many years as a sighting we developed norms around that we're working on you know a the third decade of this as a scale as a measure of this we've got the cybercrime convention which is the only international instrument that deals with with cyber and we have more than 50 countries that have signed on to that no 180 some countries on the planet now not all of them have to join or for that to work but we are we're still moving towards you know getting us recognized on a
global level but 29 ISM from NATO has a great description of what they was considered norms of like when someone attacks you in cyberspace was proportionate agreed to attack back and so that's that kind of falls into this as well actually there were the first version that was was written quite well the second versions of time like the introduced but I mean I think that the point where this is that the question you asked is absolutely the question to us and is being asked on an international level of the moment and people are spending a lot of time on it and two things I would say one thing that's important here is when we say the
u the U in this case is really important because a lot of the international discussions the U as a country and that's very different from the discussion here what about individuals and so that's right a lot of the international law is concerned with what countries can do and with it's a lot of the discussion is concerned with that but the other thing that I would say is you I would argue that you might not want norm creation and law creation international or creation to go a lot faster than this only because and the reason I say that is everyone knows the slippery slope argument right there's also a wacky wall argument which is if you create a wall no matter where you
put it something's gonna be arbitrarily on one side or the other and it's gonna have a bad effect and right now we're still trying to understand the scope of what one can do or should do and so if there was a drive to create something in a half tomorrow I guarantee you everyone in this room would be unhappy about it for very different reasons and so it might be that we're just not at that place yet this is sort of teeny and what Leonard was saying yeah a good example that is the authors of telling if I understand correctly are starting to argue that the ransomware was a crime against humanity which I disagree with v emelina my
research is in this area and my experiences in this area and I cannot believe they're making this argument but that's an example to me of where they would say that the spread of ransomware because of its impact and we haven't really discussed damage thoroughly is not only a crime but a crime against humanity of massive scale that requires international cooperation to resist it I we're definitely having this conversation later oh hey um do you eventually see this heading down a path of if you hire a lawyer to defend yourself legally you could hire the equivalent of penetration team to actually hack back on your behalf come on keep on retainer so sorry okay the insurance contract for our million
dollars worth of damages if you get hacked into you can pay your average retainer to a half back company they would basically defender Mueller hop kind of a mutually assured destruction thing yeah you [ __ ] me I [ __ ] you yeah what it's not really like a buddy god is it oh really security service that has black helicopters it's more like having your own tiny militia so this is a great area of research and this again goes back to where I started before I got into computers but you see that there are so complicated such a bit in fact my talk yesterday touched on this militias tend to be out of control amoral links to
something which isn't a norm and therefore do huge atrocities and so they're very frowned upon in fact the formation of police back to your social comment was to reduce the number of militias not only because of cost economic considerations people didn't want to be spending money on hiring militias all the time there's a social good to creating a police that everybody would rely on but but also just because they're out of and the politics of it so that being said if the norm is so bad that you can't get representation sometimes militias are the only way for you to get justice so there's no straight answer but as someone who has been hired to do
things that will make things better as a private person for companies not only does it happen and exist but it's a good thing you're in a sense you're solving a crime or it's solving a problem P is do this mercenaries do this bodyguards to do this they exists in physical and logical except that they'd usually do so under some regulatory framework that imposes some standards on the manner in which they act and if you did that here I'm not sure the people teased out what the consequences are fully and that you know under a regulatory framework if that looks a certain way you actually become a state actor which means the Fourth Amendment applies to you which
means that you have a variety of different obligations and now attached you as you Whitaker so I mean there's things like that that kind of have to still be teased out if you're saying these are bodies that should be recognized or individuals would be recognized to be able to wield certain Authority that might otherwise break the law yeah and the old days great examples digital forensics we used to just do it and it was just the thing private citizens did a lot to each other a lot of companies were investigating each other competitive intelligence and all kinds of crazy stuff and then the private investigators got wind of this and said well you got to be certified
pis and you got a patent a lot of states started to enforce it's not all of them but in a lot of states you have to sort of go through some standard but in the old Wild West days we were just deferring it up everywhere yep so good or bad it's hard to say does explain your patient you mentioned that the a CDC is very vague it's three pages what does a more ideal piece of legislation that would legalize hack back actually look like and kind of relate to the previous question if this does get legalized well how does it change industry we already have a company okay that offers DDoS for higher CQ injection for higher to private
companies in the legitimate space how would it change unless we go under the CMA well when we covered it they kind of quietly got rid of the service they were advertised again well my ideal legislation would just be repeal to see if they a there's you crime that that they the prosecute them to see if they a they can also that can't also be prosecuted under all the other ones look at all the hackers that are being caught its yeah they're be prosecuted see face but also all the other laws cookie Lucille stuff and they wiretap above a block so I don't think we need to see a thing it amazes me in a weird way it's like
asking you know should we define authorization for physical spaces you know it's like if you get rid of the CFAA because it talks so much about authorization are you really doing any harm to prosecution of people for entering one thing I would just notice we do define authorization for physical spaces in extensive detail right I mean there's a there's a huge ream of legal history and legal statute about how to define whether you're authorized inside a physical space the difference is it's been around for so long it's spread through the law in all these different ways and we've tested out a lot of kinks there are still problems with it oh we tested a lot of camps comparatively
trying to figure out in this context is still really new delenn and the analogs break down at some point you know obviously the issue is having sufficient notice it's something for example is i'm not authorized in the physical world the notion of trespass you know you you want people to post signs or to put up a fence and make sure people understand what that means you know the debate is you know whether you need a technological measure that is a fence essentially your your gate or fence or can your policies be your fence or so yeah I feel like the internet moves at such a fast pace I feel like it's been around forever I mean I feel like these
issues I remember banner pages it used to be so required to put up a banner because if you don't say you're not authorized here then you're giving them authorization like a welcome mat and I've heard even recently from Harvard there's an analogy where they said if you're not protecting your systems in a way that people know they're not supposed to get in you're leaving cache on your lawn and it's just sitting there for anyone to take this is the world analogies that is right yes but to Rob's point could we tease it out by just extending the physical language and build on that rather than trying to build well let's see if a we just say
authorizing it doesn't even really get defined and it's super great but you know stealing money is illegal doesn't matter what the access steal credit card numbers and traffic in them it's not see if anything you can prosecute them on that right well I guess as a prosecutor we're all right I guess I'd argue people can be kind of hand waving a clip about what is and isn't criminalized for example we're dealing with the theft of data people have said well why not the trade secret said you can get them on that well actually no because not all information for example is a trade secret the fact there's a specific definition of that bad class of
information that that's provided under the law there are people who are prosecuted for only at ten-thirty violation and that's because we don't have another offense under the federal law that we think we just enough so I'm just gonna jump ending it quickly because we need to wrap up but also I think I probably am the person who other the news had an actual conversation with the government about doing this and it wasn't this government so Harvard recently ran a workshop I think I think that this is okay to say I think I was told by than I could say this they recently ran a workshop with the Israeli government who are looking at potentially authorizing head back and
the question on the table was how do we come up with legal framework that will make this viable and pragmatic and every expert and I sort of say expert because I was there that they had in the room sort of very strongly strongly urged them not to do it nobody felt that there was a really good way to do it and yeah we should have invited you rob most time I'll make sure on the list and and I think if you were going to look at doing it then you know to Nathaniel's point you need to have a very very very specific definition of exactly what it is you're authorizing and the reality is most experts that I've spoken to and I'm
not including you in that have a point of view that hack back when you're talking about an individual entity launching counter strike against another entity that has attacked them and you know actually trying to do something that will stop them in some way or take revenge or anything like that so that is just not something that is a sort of genie that can be kept in the bottle effectively so something like beaconing I think people do see a way of coming up with a framework and coming up with oversight and making that viable but something like you know actually sort of launching a counter strike in some way designed to disable your adversary I think people who spend a lot
of time looking at this in the circles I've spoken to you which is not you tend to have a pretty strong view that the public examples we have where somebody has tried to take an action designed to have like a specific effect of this it's I mean you know when we were at the roundtable at the workshop it was palpable how many people were trying to avoid saying the word Stuxnet in the room and and somebody then did say it and there was like this momentary silence and I was just at like giggling and and so like you know every time we've seen an attempt of doing something like that and that's like something that
was obviously not act back but it wasn't attempt of taking a very targeted action and it got way out of scope and that's the problem is like how do we keep that in the bottle stopping you um so I have not I've not heard of anybody coming up with a legal framework that would address that point certainly beaconing is something that people are looking at much more yep thank you a general in her for the talking thing for the panel for all this ly good food for thought I'd like to get your opinion I probably know your opinions but maybe Leonard's opinion in particular about if there was a repeal of the CFAA it wasn't just
about hack back but like hack forward just if you're a half hacking like lots of budget lines a happy could it not be argued that though it might be a turbulent 18 months or a couple years where all this stuff is just going on the Internet she's are getting bricked and taking it down but that encouraged people to your points to just be more more thoughtful towards securing themselves not buying you know junk IOT device sticking our vulnerable all the time stuff that gets out of Auto updated people practicing good security hygiene wouldn't that just would it does all kind of work itself out this in a couple years is the body's right I don't
know I I think that sort of dystopian plan actually may have oh my god so one of the things that I find difficult about this area and when you enjoy by cuz it's so complex is this disparity in in knowledge right so both in policymakers but definitely in consumers people believe everything beyond their keyboard is magic right that's how all that happens yes it is magic very nice magic but that makes it really difficult to like calibrate what should be behavior and what will drive rational behavior right because people are are not similarly situated in terms of of their understanding of what must be done in order to event you know this bad consequence you would think I mean I've
heard people argue that allowing that lifting protections for consumers from credit card that would create an immediate consequence and that's probably right you would have a lot of angry people who would then exert pressure down the line on companies that would result in at the same time I think we we don't think that that is a sort of either a fair way or just way of proceeding and getting us to a place of of stability having this interesting thought experiment I mean you're right maybe at some point think we'd settle there would be you know companies that people would sign up for for their security that would you know deal with the people who have less knowledge and
you know thereby you would lift all boats to at least that level I I could see a whole lot of wreckage before getting there though oh yeah he'll die out the wreckage is ya know I could like if people were hacking that networks that let's go packets then we could put an end to all this the reflective DDoS its network experience right up so history shows this doesn't work and in particular I do a lot of research and learning systems now machine learning systems for example and this is like children as well if you remove all guards and all lessons and you say just figure it out you get the Lord of the Flies effect which is they
start killing each other and really bad things happening you lead towards anarchy and chaos as opposed to they naturally form better hardening guidelines and they create a better law it just hasn't been the case people need to learn from example and so if you have a sea FFA CFAA which is bad it's a good thing to improve it's an example of how you can make it better so I would say back to the earlier question I would try to get cases on the books precedent things that people could learn from and work from as opposed to remove everything and start over because that tends to lead police from studying history much worse scenarios and you
extend the time it takes for people to learn how to get better alright so we're gonna wrap up thank you so much particularly for staying so long we really appreciate it I would like to thank my panelists all of them shockingly you guys are awesome thank you very much and thank you guys so much for joining us [Applause] you [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51