Tag: cyberpolitics

Cyber Letters of Marque and Reprisal: "Hacking Back"

In the thirteenth century, before the rise of the “modern” state, private enforcement mechanisms reigned supreme. In fact, because monarchs of the time had difficulties enforcing laws within their jurisdictions, the practice of private individuals enforcing their rights was so widespread that for the sovereign to be able to “reign supreme” while his subjects simultaneously acted as judge, jury and executioner, the practice of issuing “letters of marque and reprisal” arose. Merchants traveling from town to town or even on the high seas often became the victims of pirates, brigands and thieves. Yet these merchants had no means of redress, especially when they were outside the jurisdiction of their states. Thus the victim of a robbery often sought to take back some measure of what was lost, usually in like property or in proportionate value.

The sovereign saw this practice of private enforcement as a threat to his sovereign powers, and so regulated the practice through the letters of marque. A subject would appeal to his sovereign, giving a description of what transpired and then asking permission to go on a counterattack against the offending party. The trouble was, however, that often the offending party was nowhere to be found. Thus what ended up happening is that the reprisals carried out against an “offending” party usually ended up being carried out against the population or community from which the brigand originated. The effect of this practice, interestingly, was to foster greater communal bonds and ties and cement the rise of the modern state.

One might ask at this point, what do letters of marque and reprisal have to do with cybersecurity? A lot, I think. Recently, the Washington Post reported that there is increasing interest in condoning “hacking back” against cyber attackers. Hacking back, or “active defense,” is basically attempting to trace the origins of an attack, and then gain access to that network or system. With all of the growing concern about the massive amounts of data stolen from the likes of Microsoft, Target, Home Depot, JPMorgan Chase and nameless others, the ability to “hack back” and potentially do malicious harm to those responsible for data theft appears attractive.   Indeed Patrick Lin argues we ought to consider a cyber version of “stand your ground” where an individual is authorized to defend her network, data or computer. Lin also thinks that such a law may reduce the likelihood of cyberwar because one would not need to engage or even to consult with the state, thereby implicating it in “war crimes.” As Lin states “a key virtue of “Stand Your Cyberground” is that it avoids the unsolved and paralyzing question of what a state’s response can be, legally and ethically, against foreign-based attacks.”

Yet this seems to be the opposite approach to take, especially given the nature of private enforcement, state sovereignty and responsibility. States may be interested in private companies defending their own networks, but one of the primary purposes of a state is to provide for public—not private—law enforcement.   John Locke famously quipped in his 2nd Treatise that the problem of who shall judge becomes an “inconvenience” in the state of nature, thereby giving rise to increased uses of force, then war, and ultimately requires the institution of public civil authority to judge disputes and enforce the law. Cyber “stand your ground” or private hack backs places us squarely back in Locke’s inconvenient state.

Moreover, it runs contrary to the notion of state sovereignty. While many might claim that the Internet and the cyber domain show the weakness in sovereignty, they do not do away with it. Indeed, if we are to learn anything from the history of private enforcement and state jurisdiction, sovereignty requires that the state sanction such behavior. The state would have to issue something tantamount to a letter of marque and reprisal. It would have to permit a private individual or company to seek recompense for its damage or data lost. Yet this is, of course, increasingly difficult for at least two reasons. The first is attribution. I will not belabor the point about the difficulty of attribution, which Lin seems to dismiss by stating that “the identities of even true pirates and robbers–or even enemy snipers in wartime–aren’t usually determined before the counterattack; so insisting on attribution before use of force appears to be an impossible standard.” True attribution for cyber attacks is a lengthy and time-consuming process, often requiring human agents on the ground, and it is not merely about tracing an IP address to a botnet.  True identities are hard to come by, and equating a large cyber attack to a sniper is unhelpful. We may not need to know the social security number of a sniper, but we are clear that the person with the gun in the bell-tower is the one shooting at us, and this permits us to use force in defense.   With a botnet or a spoofed IP address, we are uncertain where the shots are really coming from. Indeed, it makes more sense to think of it like hiring a string of hit men, each hiring a subcontractor, and we are trying to find out who we have a right of self-defense against; is it the person hiring or the hit men or both?

Second, even if we could engage a cyber letter of marque we would have to have some metric to establish a proportionate cyber counter-attack.   Yet what are identities, credit card numbers, or other types of “sensitive data” worth? What if they never get used? Is it then merely the intrusion? Proportionality in this case is not a cut and dry issue.

Finally, if we have learned anything about the history or letters of marque and reprisal, then it is that they went out of favor. States realized that private enforcement, which then turned to public reprisals during the 18th to early 20th centuries, merely encouraged more force in international affairs. Currently the modern international legal system calls acts that are coercive, but not uses of force (i.e. acts that would violate Article 2(4) of the United Nations Charter), countermeasures. The international community and individual states not longer issue letters of marque and reprisal. Instead, when states have their rights violated (or an ‘internationally wrongful act’ taken against them), they utilize arbitration or countermeasures to seek redress. For a state to take lawful countermeasures, however, requires that it determine the responsible state for the wrongful act in question. Yet cyber attacks, if we are to rely on what the professional cybersecurity experts tell us, are sophisticated in that they hide their identities and origins. Moreover, even if one finds out the origin of the attack, this may be insufficient to ground a state’s responsibility for the act. There is always the deniability that the state issued a command or hired a “cyber criminal gang.” Thus countermeasures against a state in this framework may be illegal.

What all this means is that if we do not want ignore current international law, or the teachings of history, we cannot condone private companies “hacking back.” The only way one could condone it is for the state to legalize it, and if this were the case, then it would be just like the state issuing letters of marque and reprisal. Yet by legalizing such a practice, it may open up those states to countermeasures by other states. Given that most of the Internet traffic goes through the United States (US), that means that many “attributable” attacks will look like they are coming from the US.   This in turn means that many states would then have reason to cyber attack the US, thereby increasing and not decreasing the likelihood of cyberwar.   Any proposal to condone retaliatory private enforcement in cyberspace should, therefore, be met with caution.

What Should You Read on Cyber Security?

https://www.duckwranglers.com/wordpress/wp-content/uploads/2010/09/duck_pc.jpgEditor’s Note: This is a guest post by Brandon Valeriano of the University of Glasgow and Ryan C. Manes of the University of Chicago, Illinois. Brandon asked if we could run a bibliography on Cyber Security, and we happily agreed. If anyone else is interested in submitting bibliographies to be archived at the Duck of Minerva, drop us an email.

It is that time of the year again – that time when everyone considers updating their syllabus. So you have an interest in cyber security but have not taken the time to develop a reading list. Well here it is, I have, unfortunately, dived into the topic. The following includes a one day-version and then a more detailed list to can be used to develop a class, graduate seminar day, or to prep for a debate.

(Thanks to Hans-Inge Langø for asking the original question that promoted this post and suggesting a few things I was missing)

Of course I may have left some things out. This is a developing literature so we will update as time goes on. Feel free to  tweet suggestions to @drbvaler. We attach many of our own writings here, mainly because we are a glutton like that but also because our book on Cyber Conflict is not out yet. The premium here, at least for us, is on social-scientific and peer-reviewed articles and books rather than popular speculation. Our goal is to present the entire range of the field, from the cyber threat hype folks, to the more measured reactions, to the cyber skeptics. Continue reading

Does Snowden Pass the Test?

As you’ve probably noticed, I’m working through two competing concerns: (1) the legal and ethical obligations that come with holding a security clearance and (2) the ethical and moral obligation to bring deeply problematic government action to light. In comments elsewhere, I’ve put forth two examples of what I think are relatively straightforward kinds of cases:

  • Publicizing war crimes that the state is covering up; and
  • Indiscriminately dumping government diplomatic cables.

The first provides a justification for disclosing classified information, the second is completely without justification. Without in any way denying that the US government’s treatment of Bradley Manning has been horrific and outrageous, I think it is clear that Manning crossed the line when he downloaded every government cable he could get his hands on and turned them over to Julian Assange.

I probably shouldn’t have used Jeffrey Toobin’s New Yorker piece as an excuse to initiate discussion, because, well, it was a piece by Jeffrey Toobin. But, thankfully, Josh Marshall and Josh Barron have both written thoughtful pieces on these issues. Continue reading

Cyber-War: Emerging Threat or Phantom Menace?

Apparently the ruckus between Google and China amounts to a “cyber war.”

This sounds familiar. In late February, former director of national intelligence Michael McConnell declared on the WAPO opinion pages that we are losing some sort of “cyberwar.” Then earlier this month Obama administration cyber-czar Howard Schmidt announced “there is no cyberwar” at the RSA Security Conference in San Francisco.

At Government Computer News, William Jackson asks a useful question: “How can we be at cyberwar if we don’t know what it is?”

Words have consequences. War entails specific risks and responsibilities and should not be entered into lightly. The Constitution lays out requirements for engaging in war, and the United States is a signatory to treaties that impose legal restrictions on conducting warfare, such as distinguishing between combatants and non-combatants and military and non-military targets. And once a nation engages in an act of war, it invites retaliation, regardless of its motives.

As of now, we have no workable definition of what constitutes cyberwar, and more often than not we lack the ability to accurately distinguish it from act of online vandalism.

For what it’s worth, Ronald J Diebert and Rafal Rohozinski have a new article in International Political Sociology on the concept of cyber-security in which they analyze the parameters of the debate over what concepts like “cyberwar” or “cybersecurity” mean. They point out there there are two sets of rhetoric here – one about risks to cyberspace, and one about risks through cyberspace.
They also argue that governance may be emerging more clearly in the former arena than in the latter, which essentially remains contested.

Perhaps the conceptual corollary is helpful: genuine acts of cyber-war might be understood as efforts to target infrastructure, whereas much of what we critique as cyber-war “hype” are simply concerns over conventional forms of espionage or sabotage using new media.

It’s hard to see how Google’s withdrawal from China fits either category, though. In fact, at Wired, Ryan Singer argues that the cyber-war hype like this itself night be “the biggest threat to the internet” as the hype encourages citizens to imagine that increased government surveillance or control over web traffic would be a public good. To draw on Diebert and Rohozinski’s typology (of cyber-war as risks to cyber-infrastructure), cyber-war hype might itself constitute a form of cyber-war – or at least, cyber-war-propaganda.

Well, one thing’s for sure: I smell some interesting dissertations in the near future to organize our thinking around these concepts.

[cross-posted at LGM]

© 2019 Duck of Minerva

Theme by Anders NorenUp ↑