A New Chapter in Cybersecurity? Is There a Role for Active Deterrence?

October.28.2016

In the 1969 film Butch Cassidy and the Sundance Kid, after Butch and Sundance rob Union Pacific Railroad (“Union Pacific”) the first time, Union Pacific employs a stronger safe.  After Butch and Sundance rob Union Pacific a second time, Union Pacific forgoes the safe and hires a posse of unrelenting gunmen, hell bent on capturing and/or killing the duo.  The posse ultimately forces Butch and Sundance to flee to Bolivia—where they resume their bank-robbing antics.  Ultimately, it takes the Bolivian army to stop them. In their case, albeit fictional, the active deterrent (the posse) was more effective at protecting Union Pacific’s money than the passive deterrent (the safe), in part, because Butch and Sundance were highly-motivated actors.

In the cybersecurity ecosystem, even when faced with highly-motivated actors, resources and efforts to combat cyber threats continue to focus primarily on passive deterrence—i.e., building a better safe by, among other things, identifying and addressing system vulnerabilities, cabining risks associated with an online presence, and educating users.  Notwithstanding those efforts, cyberattacks have not waned, and by some accounts, are on the rise in the United States and globally. Compare Ponemon IBM, 2015 Cost of Data Breach Study at p. 7 with Ponemon IBM, 2016 Cost of Data Breach Study at p. 8. This begs the question whether cybersecurity would be better served by dedicating more resources to active deterrence—in this case, pursuing criminal enforcement and civil lawsuits in order to identify cybercriminals, to disrupt their infrastructure, and to seize their assets.  Perhaps so.

Arguably, the relative absence of active deterrence from the cybersecurity ecosystem is understandable. Unlike what some would call “traditional” crimes with which we typically associate an actor, we rarely attribute cybercrimes to individual actors.  This results, in part, from the difficulty in identifying the malicious actor.  Consider the case of computer botnets.  A botnet is a network of user computers infected with malware that a cybercriminal can use for a variety of illicit activity, including datamining, phishing, DDoS attacks, and other illegal conduct.  They can infect and mine from millions of user computers, with the click of a button.  Many times, individual users are clueless about being victims because they are unaware that their computers are compromised.  Even if a user discovers that their computer has been compromised with malware associated with a particular botnet, they lack the skills necessary to address the harm.  Even still, botnets by design employ multiple levels of obfuscation making identification difficult for individual victims and companies alike.

The resulting perception is that cybercriminals are unknowable or unidentifiable. This perception is not limited to individual victims but extends to victim companies and government agencies.  Without an identifiable actor, the cybersecurity community appears to believe it may be futile for them to attempt to understand or to pursue attribution of cybercrimes or to seek enforcement and punishment. Accordingly, the focus shifts to building a (hypothetically) better safe.  And, when cyberattacks occur and the proverbial safe fails, targeted companies and government agencies dedicate resources to remediation and to demonstrating that they met the prevailing legal duty of care they may have owed their customers.  Notwithstanding the resources and efforts dedicated to passive deterrence, cyberattacks continue.  Simply put, passive deterrence alone may not be sufficient to dissuade highly-motivated and/or well-resourced actors—such as in case of state-sponsored cyberattacks.  Consequently, there should be a place for active deterrence to preventing cyberattacks.  To be clear, active deterrence is nothing new.  For example, Microsoft and industry trade groups like the Financial Services-Information Sharing and Analysis Center (“FS-ISAC”) have filed several John Doe lawsuits aimed at disrupting computer botnets. See e.g., http://blogs.microsoft.com/blog/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets/#sm.0000h7tyxyrm8eku11tyj031ws0na; http://www.courthousenews.com/2015/03/02/microsoft-targets-hackers-with-lawsuit.htm. These lawsuits target the command and control infrastructure (Internet domains and servers located at particular IP addresses) used to carry out cyberattacks. In August 2016, LinkedIn filed a John Doe lawsuit in federal court in the Northern District of California.  The lawsuit aimed at discovering who was responsible for the data-scrapping botnet that allegedly extracted and copied data from its user’s accounts. See LinkedIn Corp. v. Does 1 through 100, Case No. 5:16-cv-4463.

Also illustrative of the need for the active deterrence is the increased efforts by the United States Department of Justice and the Federal Bureau of Investigation to prosecute cybercrimes and to disrupt cyber threats.

Yet another example of the changing narrative is the proposed amendments to Rule 41 of Federal Rules of Criminal Procedure. Currently, Rule 41 restricts a judge’s ability to issue warrants outside of his or her jurisdictional venue.  The proposed amendments would add two exceptions that would allow judges to issues warrants that would allow remote access to “electronic storage media” and to “seize or copy electronically stored information” outside of the judge’s venue when (1) the suspect has concealed the district where the media or information is located and (2) when media or the damaged computers are located in five or more federal districts. See https://www.supremecourt.gov/orders/courtorders/frcr16_mj80.pdf. Referred to by some as “hack provisions,” the proposed amendments would give law enforcement greater tools to identify and locate alleged threat actors.

Perhaps most telling in a refocus on active deterrence were Vice President Biden’s comments this past weekend on Meet the Press. When NBC’s Chuck Todd asked whether the United States would respond to hacking of the Democratic National Committee, purportedly by actors associated with the Russian government, Vice President Biden responded:

We’re sending a message. We have the capacity to do it… He’ll know it… And it will be at time of our choosing. And under the circumstances that have the greatest impact… We will be proportionate in what we do.

http://www.nbcnews.com/meet-the-press/video/biden-we-re-sending-a-message-to-putin-786263107997.

It makes sense that active deterrence would fall primarily to law enforcement agencies that have more robust investigative tools. However, government alone is unlikely to have all of the resources to pursue cyber threats at a sufficient scale or rate to actually deter the most serious actors.  Accordingly, there will likely be a continued and substantial role for the private sector in implementing active deterrence.  Keep in mind, in Butch Cassidy and the Sundance Kid, it was Union Pacific Railroad—not the United States government—that hired the posse.  We have likely evolved from employing gun-wielding posses; however, the cybersecurity community may need to employ active deterrence with equal efficacy in order to properly dissuade highly-motivated cybercriminals.