Attacks/Breaches
6/13/2013
01:16 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Letter Of (Cyber) Marque And Reprisal

Facilitating future 'hack back' programs

The past couple of years have seen a growing base of "hack back" supporters -- with several new businesses around the globe now presenting their services in a similar vein, each advocating more forceful responses to breaches, such as launching denial-of-service attacks against the attackers, hacking botnet command-and-control servers, embedding exploits in pilfered documents, etc., in an effort to mitigate ongoing threats.

While the service offerings are full of bluster and promise -- arguably to appeal to the media more than to potential customers -- what is clear is that there is a large delta between what's being proposed and what services are actually being delivered on a daily basis. It would seem that there's a small problem with what some people would like the laws to be and what they actually are (at this point in time). All of which brings me to the discussion of letters of marque.

The concept of "letter of marque," or more precisely "letter of marque and reprisal," has been thrown about now and again in hacking and breach discussions over beers for several years as a novel solution to overcoming the legal shackles holding back the more assertive methods of dealing with a cyberthreat. Given the changing attitude to dealing with persistent threats commonly attributed to China and organized crime, perhaps it is now time to look more seriously at the proposal.

According to the Oxford English Dictionary, the phrase "letter of marque and reprisal" originally referred to "a license granted by a sovereign to a subject, authorizing him to make reprisals on the subjects of a hostile state for injuries alleged to have been done to him by the enemy's army."

It may sound a little outdated, but the U.S. Constitution still provides Congress with the power "To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water" (Article I, Section 8, and Clause 11).

Now I'm no lawyer, but even that dated definition resonates with key elements of the threat faced by organizations and private business today. Undoubtedly there are a whole bunch of sticking points that need to be dissected by learned professors of law somewhere, but to laymen looking for a bridge to overcome the cumbersome and outdated laws that prevent them from stopping the next breach by a known and named adversary ... well, the granting of these letters would hold considerable appeal.

I see this approach as being quite different to the vigilante and mercenary alternatives often discussed -- in particular, allowing an organization to defend itself by taking reprisals in order to prevent an attack from occurring again in the future, and the tendering of a bond to ensure adherence to a code of ethics. I could easily see the likes of Google, GE, Lockheed Martin, Bank of America, etc., employing internal teams and resources to deal with a proven list of cyberadversaries under the guise and bounds of such a letter.

While many would consider the focus to be on the protagonists in what has effectively become an undeclared cyberwar with China, I'd personally be more inclined to focus on the known pirates of the virtual seas of the Internet -- the organized crime units that run, propagate, and capitalize on botnet victims.

The majority of these villains are well-known to threat analysts and law enforcement; however, they operate under the physical protection and immunity of various agencies and governments around the world. A letter of marque and reprisal would go a long way in dealing with these particular pirates.

I'd hazard to guess that within a few short months (given the long leash that a Letter would provide), a more sizable dent could be made in dealing with this threat than has been made in the past decade of legal takedowns and prosecutions.

But at the end of the day, the probable issuance of Letters of (Cyber) Marque and Reprisal to U.S. organizations looks to be pretty remote -- at least until some real legal review has been performed, or until vigilantism gets so out of control that an alternative legal avenue is desperately sought.

Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
InfoSecurityMaster
50%
50%
InfoSecurityMaster,
User Rank: Apprentice
6/20/2013 | 5:08:11 PM
re: Letter Of (Cyber) Marque And Reprisal
Letters of Marque generally were used to authorize pirates to attack a country's enemies at times when the ruler didn't want to send his navy. The reasoning was politics as well as the rulers being related. Many of the famed Classical Period Pirates carried Letters of Marque at times. Some countries ignored the Letters.

Letters were essentially banned later. Note the creation of the "Laws of War", Geneva Conventions, Hague Conventions, Westphalia, and so on.

Privateers mostly arose when a country needed to supplement their conscripted naval forces, such as for revolution (e.g. US Revolution) and during war. Letters could have been provided.

For the Cyber Age, I'm not sure how a Letters of Marque system would work. It isn't quite vigilantsm nor privateering. It might be fall as cyber mercenaries.

We need a better solution that Cyber Privateers. Similarly we need a better proposal than US Cyber Command too. Both are pretty idiotic without acceptable structure and norms.

The norms and structure has only be recently addressed. Consultants to NATO have a fair proposal regarding combat in cyber, although it will probably need refinement. It is anyone's guess as to whether any country would sign on to it.

So, even more basic, the need is for norms and structures. Privateers and Pirates have fallen due to definitions of what a nation-state is, and especially what is acceptable on the high seas. Generically, its the Law of the Seas. Refer to the Conventions for some insight. But these need to be translated in to terms practicable in cyber, as the afforementioned NATO consultants have done. This would be best described as an International Law of the Cyber, or the Demilitarization of Cyber. The space-faring and nuclearized nations have a 30 or 40 year old agreement to not militarize space or the moon (as Antartica as well, if you want a more down to earth scenario). Countries adhering to these have Ministers and Secretaries of State and of War in order to manage these. Therefore, signatories to a ILoC should also have a Secretary of Cyber (as opposed to another idiotic position of delegating cyber to Secretary of Homeland Security). Cyber exists neither within any nation-state, so it is not a realm of state. Likewise we should not militarize it, so the Ministry of Defense or Homeland is also inappropriate.
Not There
50%
50%
Not There,
User Rank: Apprentice
6/14/2013 | 4:29:05 PM
re: Letter Of (Cyber) Marque And Reprisal
Yes, such letters might well help take down or at least force for subtlety in known criminal organizations, but they would create the same problems that such letters had in the days of privateers hunting pirates. The privateers were paid to hunt and destroy suspected pirates and often ended up being nothing more than legalized pirates themselves.
These letters also had the problems of upping tensions between nations and driving legal reprisals on their side. Think about how we would react if Russia, for instance, made it legal for their large organizations to strike back against a US hacker and managed to take out entire innocent networks for little more result than forcing the hacker to create a new proxy server somewhere else.
Overall, the idea is nice, but like vigilantism, reality just does not correspond well with the ideal.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.