Two articles from Stewart Baker, one over at The Volokh Conspiracy, and another from Baker’s Skating on Stilts blog.
The first piece from the Skating on Stilts blog covers the role of the private sector and retribution. The article is a bit old (Sept 18), but it joins a chorus of recent articles and comments calling for an acknowledged right of cyber self-defense for the private sector. First, Baker argues that the attribution problem is overblown as “[n]o one can function in cyberspace without dropping bits of identifying data here and there.” By observing hackers within a compromised network and following them back to their own, “we should be able to put attribution — and retribution — back at the center of our response to cyberattacks.”
Baker goes on to argue for a right of cyber self-defense for the private sector, explaining that the private sector is both losing the most money and is in the best location to find the hackers. Even if a company were to report a state-sponsored intrusion, Baker feels that they would get the stolen bicycle treatment from federal agencies: sorry it got stolen, you’re not going to get it back and we’re not going to look for the person that took it.
Love his thoughts here:
Until recently, too many government officials have viewed such private countermeasures as the equivalent of vigilante justice. In my view, that just shows their lack of imagination . . . [I]f I remember correctly the westerns I watched growing up, if a gang robs the town bank and the sheriff finds himself outnumbered, he deputizes a posse of citizens to help him track the robbers down. Not one of those solutions is the equivalent of a lynch mob or of vigilante justice. Every one allows the victim to supplement law enforcement while preserving social control and oversight.
You can find the rest of Mr. Baker’s article on private self-defense here.
***
The second Baker article, found on The Volokh Conspiracy, goes into greater detail on attribution. Many assume that private sector self-defense won’t work because attribution is complicated. While Baker doesn’t cover private sector self-defense in this article, he does suggest that attribution is less complicated than previously thought. He lays out two recent news events: the arrest of an Anonymous hacker and the shaming of a Chinese hacker. As for the Anon hacker, he posted a picture of his girlfriend with a mocking message to those he had hacker. He was unaware that Apple embeds geolocation data in iPhone pictures, and so the FBI paid him a visit. As for the Chinese hacker, some very determined security researchers carefully analyzed recent cyber intrusions. They noticed several patterns, connected those patterns with a specific person at a Chinese university, and then prompted the NY Times to call the hacker and ask for comment. The hacker’s response? “I have nothing to say.”
4 Pingbacks