The National Academies Press

Currently Skimming:

5 Perspectives on Cyberattack Outside National Security
Pages 200-213

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 200... ... (The legal authority for such activity is Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended to include the Electronic Communications Privacy Act, and briefly described in Chapter 7.) In addition, law enforcement authorities may conduct surreptitious searches of computers for documents when so authorized under a court-issued warrant. Read the entire page →
From page 201... ... networks and other wireless devices such as garage door openers and remote control devices for toys in order to prevent their use to detonate remote-controlled bombs. Jamming cell phone networks in a specific geographic area could be used to help stop terrorists and criminals from coordinating their activities during a physical attack and prevent suspects from erasing evidence on wireless devices. In prisons, jamming could interfere with the ability of prison inmates to use contraband cell phones, which are often used to intimidate witnesses, coordinate escapes, and conduct criminal enterprises. Read the entire page →
From page 202... ... Senator Kay Bailey Hutchison and Representative Kevin Brady also introduced a bill that would allow the U.S. Bureau of Prisons and governors to seek the authority to jam cell phones in prisons. 5.2 Threat Neutralization In the Private Sector 5.2.1 Possible Response Options for Private Parties Targeted by Cyberattack In general, a private party that is the target of a cyberattack has four options for responding. Read the entire page →
From page 203... ... The Department of Homeland Security has the responsibility for seeing to the cyber protection of the defense industrial base and the providers of critical infrastructure. But to the best of the committee's knowledge, neither DHS nor any other part of government has been given the authority to conduct active threat neutralization on behalf of any part of the private sector (including the companies of the defense industrial base and the providers of critical infrastructure) Read the entire page →
From page 204... ... , the White Wolf Security corporation argued that corporate victims of cyberattack have limited rights to use offensive cyber operations in order to proactively protect their assets and workforce from attacks originating in the United States and in allied non-U.S. nations and that private military companies constitute an emerging base from which to conduct such operations on behalf of any party entitled to conduct them. Read the entire page →
From page 205... ... Although the CFAA contains an explicit exception for law enforcement agencies that undertake the normally proscribed behavior with respect to cyberattack, there is no explicit exception for private parties. On the other hand, the CFAA was never intended to apply and does The Model Penal Code does include exceptions for self-defense and defense of prop erty (Model Penal Code, American Law Institute, Philadelphia, 1962, available at http://www. Read the entire page →
From page 206... ... by a company to test its own defenses.12 A number of such firms provide such services so that a company can obtain a realistic assessment of its own security posture, and indeed penetration testing is often recommended as one of the best ways of doing so.13 A more significant issue is that in light of common law traditions regarding self-defense and defense of property, it is at least possible that a court might find that certain cyberattack actions undertaken in defense of property might be allowable, although whether such actions can stand as an exculpatory rationale for conducting active threat neutralization has not been tested in the courts to date. Even if not, actions taken in defense of property might be a starting point for legislative change if a policy decision is made that such actions involving cyberattack should be allowed in certain circumstances.14 In the context of active threat neutralization of private, non-government computer systems under attack, an interesting question thus arises. Read the entire page →
From page 207... ... Yet under some circumstances, private parties can and do act with lethal force in order to neutralize an immediate threat to life, and they can act with non-lethal force to neutralize an immediate threat to property. It is not known how frequently victims of cyberattack take self-help actions. Read the entire page →
From page 208... ... . 5.2.3 Regulating Self-defense by Private Parties Some cybersecurity analysts propose letters of marque and reprisal as a model for regulated private cyberattacks to support threat neutralization.17 Letters of marque and reprisal were originally used by governments to give private parties the authority to take certain actions generally regarded as appropriate only for a nation's military forces -- namely to operate and use armed ships to attack and capture enemy merchant ships in time of war. Read the entire page →
From page 209... ... Who should have the authority to make such a determination? What alternatives to active threat neutralization must have been tried before active defense can be used? Read the entire page →
From page 210... ... Civil liability may attach for such action (e.g., the party launching the action in defense of property may be responsible to the innocent victim for damages suffered) , although the liability might be less if the innocent party was negligent in allowing his or her computer to be used for malevolent purposes.19 5.2.4 Negative Ramifications of Self-defense by Private Parties The discussion above should not be construed as advocating a change from today's legal regime that strongly discourages active threat neutralization by private sector entities. Read the entire page →
From page 211... ... . In the absence of mandatory standards for taking such action, actions by private parties would be governed by the party's own view of its selfinterest, and in particular would be unlikely to take into account other broader societal or national needs.20 Thus, active threat neutralization may run a higher risk of having effects that work against those broader needs or objectives. Read the entire page →
From page 212... ... A tighter regime might explicitly prohibit active threat neutralization by private parties even under the rubric of defense of property, prohibit active intelligence gathering by private parties in the wake of a cyberattack, make parties undertaking threat neutralization strictly liable for any harm they cause, and so on. 5.3 Cyberexploitation in the Private Sector Given that the technical skills for cyberexploitation are similar to those required for cyberattack and in light of the discussion above, it is likely that some U.S. Read the entire page →
From page 213... ... The primary difference between protection for government agencies and for the private sector is the fact that the actions of government agencies are subject to government control and direction within the limits of statutory law and constitutional restraint, whereas the U.S. government has exercised little influence apart from the bully pulpit today to direct or even influence the actions of much of the private sector regarding cybersecurity, a notable exception being private sector companies that are subject to strong government regulation, such as the financial sector or companies in the defense industrial base, or that provide key services to the federal government. Read the entire page →

From page 200...

... (The legal authority for such activity is Title III of the Omnibus Crime Control and Safe Streets Act of 1968, as amended to include the Electronic Communications Privacy Act, and briefly described in Chapter 7.) In addition, law enforcement authorities may conduct surreptitious searches of computers for documents when so authorized under a court-issued warrant.

Read the entire page →

From page 201...

... networks and other wireless devices such as garage door openers and remote control devices for toys in order to prevent their use to detonate remote-controlled bombs. Jamming cell phone networks in a specific geographic area could be used to help stop terrorists and criminals from coordinating their activities during a physical attack and prevent suspects from erasing evidence on wireless devices. In prisons, jamming could interfere with the ability of prison inmates to use contraband cell phones, which are often used to intimidate witnesses, coordinate escapes, and conduct criminal enterprises.

Read the entire page →

From page 202...

... Senator Kay Bailey Hutchison and Representative Kevin Brady also introduced a bill that would allow the U.S. Bureau of Prisons and governors to seek the authority to jam cell phones in prisons. 5.2 Threat Neutralization In the Private Sector 5.2.1 Possible Response Options for Private Parties Targeted by Cyberattack In general, a private party that is the target of a cyberattack has four options for responding.

Read the entire page →

From page 203...

... The Department of Homeland Security has the responsibility for seeing to the cyber protection of the defense industrial base and the providers of critical infrastructure. But to the best of the committee's knowledge, neither DHS nor any other part of government has been given the authority to conduct active threat neutralization on behalf of any part of the private sector (including the companies of the defense industrial base and the providers of critical infrastructure)

Read the entire page →

From page 204...

... , the White Wolf Security corporation argued that corporate victims of cyberattack have limited rights to use offensive cyber operations in order to proactively protect their assets and workforce from attacks originating in the United States and in allied non-U.S. nations and that private military companies constitute an emerging base from which to conduct such operations on behalf of any party entitled to conduct them.

Read the entire page →

From page 205...

... Although the CFAA contains an explicit exception for law enforcement agencies that undertake the normally proscribed behavior with respect to cyberattack, there is no explicit exception for private parties. On the other hand, the CFAA was never intended to apply and does The Model Penal Code does include exceptions for self-defense and defense of prop erty (Model Penal Code, American Law Institute, Philadelphia, 1962, available at http://www.

Read the entire page →

From page 206...

... by a company to test its own defenses.12 A number of such firms provide such services so that a company can obtain a realistic assessment of its own security posture, and indeed penetration testing is often recommended as one of the best ways of doing so.13 A more significant issue is that in light of common law traditions regarding self-defense and defense of property, it is at least possible that a court might find that certain cyberattack actions undertaken in defense of property might be allowable, although whether such actions can stand as an exculpatory rationale for conducting active threat neutralization has not been tested in the courts to date. Even if not, actions taken in defense of property might be a starting point for legislative change if a policy decision is made that such actions involving cyberattack should be allowed in certain circumstances.14 In the context of active threat neutralization of private, non-government computer systems under attack, an interesting question thus arises.

Read the entire page →

From page 207...

... Yet under some circumstances, private parties can and do act with lethal force in order to neutralize an immediate threat to life, and they can act with non-lethal force to neutralize an immediate threat to property. It is not known how frequently victims of cyberattack take self-help actions.

Read the entire page →

From page 208...

... . 5.2.3 Regulating Self-defense by Private Parties Some cybersecurity analysts propose letters of marque and reprisal as a model for regulated private cyberattacks to support threat neutralization.17 Letters of marque and reprisal were originally used by governments to give private parties the authority to take certain actions generally regarded as appropriate only for a nation's military forces -- namely to operate and use armed ships to attack and capture enemy merchant ships in time of war.

Read the entire page →

From page 209...

... Who should have the authority to make such a determination? What alternatives to active threat neutralization must have been tried before active defense can be used?

Read the entire page →

From page 210...

... Civil liability may attach for such action (e.g., the party launching the action in defense of property may be responsible to the innocent victim for damages suffered) , although the liability might be less if the innocent party was negligent in allowing his or her computer to be used for malevolent purposes.19 5.2.4 Negative Ramifications of Self-defense by Private Parties The discussion above should not be construed as advocating a change from today's legal regime that strongly discourages active threat neutralization by private sector entities.

Read the entire page →

From page 211...

... . In the absence of mandatory standards for taking such action, actions by private parties would be governed by the party's own view of its selfinterest, and in particular would be unlikely to take into account other broader societal or national needs.20 Thus, active threat neutralization may run a higher risk of having effects that work against those broader needs or objectives.

Read the entire page →

From page 212...

... A tighter regime might explicitly prohibit active threat neutralization by private parties even under the rubric of defense of property, prohibit active intelligence gathering by private parties in the wake of a cyberattack, make parties undertaking threat neutralization strictly liable for any harm they cause, and so on. 5.3 Cyberexploitation in the Private Sector Given that the technical skills for cyberexploitation are similar to those required for cyberattack and in light of the discussion above, it is likely that some U.S.

Read the entire page →

From page 213...

... The primary difference between protection for government agencies and for the private sector is the fact that the actions of government agencies are subject to government control and direction within the limits of statutory law and constitutional restraint, whereas the U.S. government has exercised little influence apart from the bully pulpit today to direct or even influence the actions of much of the private sector regarding cybersecurity, a notable exception being private sector companies that are subject to strong government regulation, such as the financial sector or companies in the defense industrial base, or that provide key services to the federal government.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

5 Perspectives on Cyberattack Outside National Security Pages 200-213

5 Perspectives on Cyberattack Outside National Security
Pages 200-213