Attacks/Breaches
6/13/2013
01:16 PM
Gunter Ollmann
Gunter Ollmann
Commentary
50%
50%

Letter Of (Cyber) Marque And Reprisal

Facilitating future 'hack back' programs

The past couple of years have seen a growing base of "hack back" supporters -- with several new businesses around the globe now presenting their services in a similar vein, each advocating more forceful responses to breaches, such as launching denial-of-service attacks against the attackers, hacking botnet command-and-control servers, embedding exploits in pilfered documents, etc., in an effort to mitigate ongoing threats.

While the service offerings are full of bluster and promise -- arguably to appeal to the media more than to potential customers -- what is clear is that there is a large delta between what's being proposed and what services are actually being delivered on a daily basis. It would seem that there's a small problem with what some people would like the laws to be and what they actually are (at this point in time). All of which brings me to the discussion of letters of marque.

The concept of "letter of marque," or more precisely "letter of marque and reprisal," has been thrown about now and again in hacking and breach discussions over beers for several years as a novel solution to overcoming the legal shackles holding back the more assertive methods of dealing with a cyberthreat. Given the changing attitude to dealing with persistent threats commonly attributed to China and organized crime, perhaps it is now time to look more seriously at the proposal.

According to the Oxford English Dictionary, the phrase "letter of marque and reprisal" originally referred to "a license granted by a sovereign to a subject, authorizing him to make reprisals on the subjects of a hostile state for injuries alleged to have been done to him by the enemy's army."

It may sound a little outdated, but the U.S. Constitution still provides Congress with the power "To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water" (Article I, Section 8, and Clause 11).

Now I'm no lawyer, but even that dated definition resonates with key elements of the threat faced by organizations and private business today. Undoubtedly there are a whole bunch of sticking points that need to be dissected by learned professors of law somewhere, but to laymen looking for a bridge to overcome the cumbersome and outdated laws that prevent them from stopping the next breach by a known and named adversary ... well, the granting of these letters would hold considerable appeal.

I see this approach as being quite different to the vigilante and mercenary alternatives often discussed -- in particular, allowing an organization to defend itself by taking reprisals in order to prevent an attack from occurring again in the future, and the tendering of a bond to ensure adherence to a code of ethics. I could easily see the likes of Google, GE, Lockheed Martin, Bank of America, etc., employing internal teams and resources to deal with a proven list of cyberadversaries under the guise and bounds of such a letter.

While many would consider the focus to be on the protagonists in what has effectively become an undeclared cyberwar with China, I'd personally be more inclined to focus on the known pirates of the virtual seas of the Internet -- the organized crime units that run, propagate, and capitalize on botnet victims.

The majority of these villains are well-known to threat analysts and law enforcement; however, they operate under the physical protection and immunity of various agencies and governments around the world. A letter of marque and reprisal would go a long way in dealing with these particular pirates.

I'd hazard to guess that within a few short months (given the long leash that a Letter would provide), a more sizable dent could be made in dealing with this threat than has been made in the past decade of legal takedowns and prosecutions.

But at the end of the day, the probable issuance of Letters of (Cyber) Marque and Reprisal to U.S. organizations looks to be pretty remote -- at least until some real legal review has been performed, or until vigilantism gets so out of control that an alternative legal avenue is desperately sought.

Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
InfoSecurityMaster
50%
50%
InfoSecurityMaster,
User Rank: Apprentice
6/20/2013 | 5:08:11 PM
re: Letter Of (Cyber) Marque And Reprisal
Letters of Marque generally were used to authorize pirates to attack a country's enemies at times when the ruler didn't want to send his navy. The reasoning was politics as well as the rulers being related. Many of the famed Classical Period Pirates carried Letters of Marque at times. Some countries ignored the Letters.

Letters were essentially banned later. Note the creation of the "Laws of War", Geneva Conventions, Hague Conventions, Westphalia, and so on.

Privateers mostly arose when a country needed to supplement their conscripted naval forces, such as for revolution (e.g. US Revolution) and during war. Letters could have been provided.

For the Cyber Age, I'm not sure how a Letters of Marque system would work. It isn't quite vigilantsm nor privateering. It might be fall as cyber mercenaries.

We need a better solution that Cyber Privateers. Similarly we need a better proposal than US Cyber Command too. Both are pretty idiotic without acceptable structure and norms.

The norms and structure has only be recently addressed. Consultants to NATO have a fair proposal regarding combat in cyber, although it will probably need refinement. It is anyone's guess as to whether any country would sign on to it.

So, even more basic, the need is for norms and structures. Privateers and Pirates have fallen due to definitions of what a nation-state is, and especially what is acceptable on the high seas. Generically, its the Law of the Seas. Refer to the Conventions for some insight. But these need to be translated in to terms practicable in cyber, as the afforementioned NATO consultants have done. This would be best described as an International Law of the Cyber, or the Demilitarization of Cyber. The space-faring and nuclearized nations have a 30 or 40 year old agreement to not militarize space or the moon (as Antartica as well, if you want a more down to earth scenario). Countries adhering to these have Ministers and Secretaries of State and of War in order to manage these. Therefore, signatories to a ILoC should also have a Secretary of Cyber (as opposed to another idiotic position of delegating cyber to Secretary of Homeland Security). Cyber exists neither within any nation-state, so it is not a realm of state. Likewise we should not militarize it, so the Ministry of Defense or Homeland is also inappropriate.
Not There
50%
50%
Not There,
User Rank: Apprentice
6/14/2013 | 4:29:05 PM
re: Letter Of (Cyber) Marque And Reprisal
Yes, such letters might well help take down or at least force for subtlety in known criminal organizations, but they would create the same problems that such letters had in the days of privateers hunting pirates. The privateers were paid to hunt and destroy suspected pirates and often ended up being nothing more than legalized pirates themselves.
These letters also had the problems of upping tensions between nations and driving legal reprisals on their side. Think about how we would react if Russia, for instance, made it legal for their large organizations to strike back against a US hacker and managed to take out entire innocent networks for little more result than forcing the hacker to create a new proxy server somewhere else.
Overall, the idea is nice, but like vigilantism, reality just does not correspond well with the ideal.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

CVE-2014-5212
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in nds/search/data in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote attackers to inject arbitrary web script or HTML via the rdn parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.