July 1, 2017
InfoSecurity Professional INSIGHTS
InfoSecurity Professional INSIGHTS is (ISC)²’s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
Digitizing the Geneva Convention: Justice on the High (Cyber) Seas
By Jeff Bauer, CISSP, June 2017
“Those unable to catalog the past are doomed to repeat it.” -–Lemony Snicket, A Series of Unfortunate Events
MIDLANDS, ENGLAND–When navigating the pitfalls of network security and transnational issues, great insight can be achieved by reviewing historical precedents that evolve in response to changing conditions and technologies, such as the law of the sea.
Natural Law, Private War and Self-Defense:
In 1603, ships of the United Dutch East India Company on a trading mission to the Spice Islands (Indonesia) were attacked and dispersed by Spanish warships. The admiral of the Dutch fleet proceeded on alone and upon arriving at his destination, learned that there had been another battle between some of his dispersed vessels and a Portuguese fleet. Subsequently, the Dutch admiral captured a large Portuguese ship, put the Portuguese crew ashore and sailed the vessel back to Holland where investors petitioned to have the Portuguese ship and its cargo declared a prize.
The legality of the capture of the Portuguese ship was questionable under prevailing international law in that the United Provinces were in a state of rebellion against their overlord, Philip III, King of Spain and Portugal. Under such conditions, the use of force would have been prohibited except in cases of self-defense, so while the Dutch were allowed to fight off an attack, capturing a Spanish or Portuguese vessel was illegal. The Portuguese subsequently sued for the return of their vessel and its cargo. To argue their case, the Dutch investors engaged a newly minted solicitor, Hugo Grotius. Grotius asserted that the sea was a common possession of mankind and by the common consent of nations, the rules of international commerce included freedom of trade and navigation. According to Grotius, it was a crime against natural law to monopolize something held in common. Grotius argued that Spain and Portugal had violated natural law and by their actions had declared a “private war” on the United Dutch East India Company; he reasoned that a trading company could legally engage in private warfare against other merchants or sovereign states because it not only had a right to trade, but an obligation to safeguard trade and defend its property. Grotius argued that the United Dutch East India Company was entitled to reparations, and in the absence of an effective independent judicial procedure, also had a moral obligation to defend not only its rights, but by extension, everyone else’s rights as well.
He contended that the injured party was entitled to receive the equivalent of the loss and expenses from those who had violated natural law by disrupting the free flow of commerce and attempting to defend an unnatural regional hegemony. Grotius contended that if there was no other source or process from which the injured party could properly receive compensation, then the plaintiff should be allowed to obtain satisfaction from any source whatsoever. Although the full treatise was not published in his lifetime, the shareholders were no doubt pleased when the Dutch courts ruled in their favor.
Regulating a Service Industry:
In the late 1600s, the British established Vice Admiralty Courts—in essence, regional civil institutions—in their colonial possessions as a way of regulating commercial maritime activity. Admiralty judges were also empowered to issue Letters of Marque (to address a commercial violation during time of peace) and Reprisal (commissioning of a private vessel to plunder commerce of a hostile power with the strategic goal of disrupting their maritime activities), licenses that distinguished state-authorized plundering from piracy. In time of war, Vice Admiralty Courts also functioned as “prize courts” with the authority to condemn captured enemy ships and cargo.
After the American Declaration of Independence in 1776, the Continental Congress also licensed privateers to offset the paucity of regular American naval assets; with only 64 colonial naval vessels, the Americans needed their privateers more than the Europeans historically ever had. On the other hand, during the War of 1812, America’s privateers did not prevent the Royal Navy from sailing up the Potomac River and unloading troops, which then burned the new capital city, or intervene during the bombardment of Fort McHenry in Baltimore Harbor. John Adams bemoaned the fact that the privateers operated independently and could not be compelled to coordinate in a combined strategy; privateering was a better demonstration of the need for a legitimate naval capability than a substantive strategic concept.
In an August 29, 2016, letter to U.S. President Barack Obama just prior to the G20 Summit held in Hangzhou, China, U.S. Senators recommended he raise the issue of cybercrime and call on the G20 leaders to commit to a “coordinated strategy to combat it.’’ Drawing on the ideas of Grotius, the internet, like the sea and air, could be considered common property, shared by all, who should also be privileged to engage and trade freely with one another across artificial boundaries. The congressional letter recognized that the problem of protecting internet commerce was global, so workable solutions would require an effective, independent regional/international civil adjudication procedure.
Modern ‘Letter of Marque’
A modern cyber “Letter of Marque” would perhaps accomplish what the original document did: establish an international warrant or seizure order issued by a multinational tribunal based on a rigorous, publicly presented examination of the facts, grounded on sound principles of civil judicial procedure, rendered by a panel of experts from a coalition of impartial international partners willing to cooperate to enforce the right of collective self-defense. The weapons of self-defense would be essentially financial, targeting the funds, credit and transactions of the transgressor(s) and seeking primarily to ensure that he who has suffered loss “receives or collects exact and equivalent indemnity” for all losses and expenses from the possessions of the attackers.
To bind the stakeholders to such a procedure, the tribunal would have to be just, open, impartial and transparent, as well as capable of withstanding cross-examination with a sound appeal mechanism. Access to this procedure should be open to all who participate, and if the attacker is unwilling to make due restitution and cannot be compelled by an ineffectual or unwilling national authority, then the injured party should properly receive compensation from any of the malefactor’s sources or from the assets of the ineffectual/unwilling national authority, with all the other participants obligated to facilitate in the reimbursement process.
Consider some more recent examples of cyber heists that carried big headlines and caused major headaches for victims.
Public disclosure of more than 100 terabytes of Sony Pictures’ confidential information in November 2014 revealed a previously unknown hack that was later used by a hacker group calling itself “Guardians of Peace” to blackmail the entertainment giant into canceling screenings of its satirical comedy, The Interview, about a plot to assassinate the current North Korean leader, Kim Jong-un. Although U.S. intelligence and law enforcement identified North Korea as the likely sponsor of the attack and President Obama enacted additional sanctions against the already sanction-strangled regime, as a commercial enterprise responsible for defending its own information, Sony was largely on its own in dealing with the aftermath. It engaged cybersecurity firm FireEye to assess the damage, shield its employees from the personal data compromise and repair its infrastructure at a considerable cost. In the first quarter of 2015, Sony Pictures reportedly set aside $15 million for incident response, notwithstanding the potentially far costlier loss of income from leaked films and canceled releases.
In late 2015, a bank in the Philippines and another in Vietnam, as well as a Bengali bank in February 2016, were the targets of online attacks. Security firm Symantec said the attackers used a unique piece of code, encryption algorithms and data deletion methods that had only been used in the Sony Pictures’ intrusion and in previous attacks on banks and media companies in South Korea. The thieves stole $81 million from the central bank of Bangladesh. FireEye reported similar attacks on eight other Asian banks.
In August 2016, it was revealed that more hacks of the SWIFT global financial messaging system had been discovered at other institutions with some of the previously unknown attacks being successful, although no losses have been disclosed. In May 2016, some of the money from the Bangladesh cyber heist surfaced at Philippine casinos. On November 12, 2016, The Wall Street Journal reported that $15 million seized from the casino by Philippine authorities and held since May had been returned to Bangladesh, although the rest of the proceeds had disappeared into the Philippine casino industry, unlikely ever to be found.
Reuters reported on a November 2, 2016 SWIFT message warning banks of the escalating threat to their systems. Subsequently, on December 2, The Wall Street Journal carried a news item on the theft of $31.3 million from a correspondent’s bank account at Russia’s central bank, which was able to recover some of the funds and provide attack details to Russia’s security forces.
In an August 2016 advisory, Deloitte noted the hidden impact of an incident could amount to 90 percent of the total response cost and may not be felt until more than two years after the event. A November 2016 study by IBM and the Ponemon Institute claimed 66 percent of organizations would be unable to fully recover from a cyberattack due to insufficient planning and the complexity of their systems and processes.
In 2015, the U.S. National Security Council issued a statement vowing to bring the perpetrators of the Sony attack to justice, but to date, nothing has happened. In April 2015, by executive order, President Obama delineated a sanctions program that allowed the U.S. Treasury secretary, in consultation with the attorney general and secretary of state, to target individuals and entities that engaged in cyberattacks or commercial espionage by freezing their assets and barring financial transactions. The April 2015 executive order specified that the aggressors would have to be harming the critical infrastructure, disrupting major networks, stealing intellectual property or benefiting from stolen trade secrets, and any case would have to be supported by evidence that could withstand a court challenge.
In 2015, the U.S. Congress also expanded the definition of the RICO (Racketeer-Influenced Corrupt Organization) statute, originally enacted to address the mafia, and later, drug cartels, to include offenses under the Computer Fraud and Abuse Act. The heart of RICO asserts that anyone involved in a criminal enterprise is responsible for the whole crime. RICO beefed up the Computer Fraud and Abuse Act with stiffer sentences, consecutive sentencing and forfeiture of proceeds. Additionally, on December 1, 2016, Congress granted the FBI authority to search multiple computers across the country, and internationally, based on a single search warrant. Previously, a search warrant could only be effected in the Federal Judicial District in which the judge approved the warrant.
Was the attack on Sony Pictures an act of war? No, arguably, this was probably a state-sponsored attack on a private corporation. The proportional response would not be a declaration of war or even a kinetic attack on some isolated North Korean target by the American military. The situation would not be improved by the loss of a single life on either side, the destruction of property or the further souring of a relationship that already threatens peace. Essentially, the appropriate remedy would not be a military one.
Was it a crime? Collecting sufficient information to attribute the assault to the North Korea regime that would satisfy U.S. standards of criminal evidence, and then, executing the sentence on that regime would have proved problematic. The prosecution rate for cybercrime worldwide is only 5 percent and there is no international treaty on cybercrime.
According to PricewaterhouseCoopers, “Ninety percent of large businesses have experienced a data breach in the last year,” with an average recovery cost of $5.4 million in the U.S., £2.37 million ($3.2 million) in the U.K., €3.52 million ($3.9 million) in Germany and €3.12 million ($3.5 million) in France. The World Economic Forum estimated the economic cost of cybercrime was around $3 trillion in 2016. In the next five years, Cyber Security Ventures, working with the Herjavec Group, expects the cost of cybercrime to double to roughly $6 trillion, with companies responsible for guarding about 50 times more data.
The European General Data Protection regulation, which comes into effect on May 25, 2018, will give victims the right to sue for up to 4 percent of a company’s previous year’s worldwide turnover as a penalty for losing personal data. At some point, the penalties will begin to stifle the commerce it was designed to facilitate. If a quantum computing capability is established as the European Telecommunications Security Institute (ETSI) warned in its recent white paper, “Quantum Safe Computing,” then all public key cryptographic schemes based on hard-to-solve mathematical problems will become obsolete, opening up systems to interception of or tampering with archived information. Clearly, a more forward-leaning response would help level the battlefield.
Global partners must be prepared to take on the technical and administrative responsibilities of the internet, and then, take the next leap to develop interlocked and mutually supportive tools allowing for a more robust response to threats to critical international commercial assets than current diplomatic and legal frameworks allow.
ABOUT THE AUTHOR:
Jeff Bauer is an (ISC)² member located in The Midlands, United Kingdom and the Site Security Manager for SOS International supporting the Europe Division of their Air Force Civil Engineer Center in Oxfordshire, England responsible for planning, scheduling, and monitoring site security personnel and project security. He has taught at the NATIONAL INTELLIGENCE UNIVERSITY- EUROPEAN ACADEMIC CENTER, RAF Molesworth, UK Office: 00-44 (1480) 841152 Cell: 00-44 (7775) 764492 providing instruction in counterintelligence; homeland security; national security; and strategy, as well as directing research and developing academic outreach concerning their distinguished speak and guest speak programs.
Retiring in 2008, BAUER spent 20-years with the FBI, and before that 2-years with the CIA. While working with the FBI, BAUER initially worked in Sacramento, California where he distinguished himself has a hard-working agent investigating White Collar Crime and Cyber Crime and later at FBIHQ as the Bureau’s Chief Security Officer in the Counterterrorism Division/Weapons of Mass Destruction Directorate. BAUER’s resume includes supervising the Bureau’s 24X7 Command Center when the attacks occurred on the WORLD TRADE CENTER and PENTAGON on September 11, 2001 and the attack on the USS COLE in the port of Aden, Yemen in October 2000. He also understands conversational French, Spanish and Greek.
Mr. BAUER’s profile can be seen here: https://fbiretired.com/agent/bauer-jeff/