How far should companies be allowed to go to hunt cyber attackers?
Stewart Baker of Steptoe & Johnson
Photo by Kathy Anderson
Suppose a thief breaks into your house and steals your belongings. In efforts to cover his tracks, the thief hides your stuff in a neighbor’s garage. The neighbor doesn’t realize your property is in his garage, but you find it there. What do you do next–go into the neighbor’s garage to retrieve your stuff, or call the police and hope they respond promptly?
A much more complex version of that scenario is playing out in the cybersecurity field with no clear resolution in sight.
The problem was discussed at a program presented Saturday by the ABA Standing Committee on Law and National Security in Dallas, where the association is holding its 2013 Midyear Meeting.
The issue, agreed three experts who spoke on the panel, is to what extent private concerns may go to track down the intruders who break into their computer systems and where the intruders hide that data to avoid detection. The dilemma, said Steven Chabinsky, is that the federal government has the statutory authority to carry out such investigations but lacks the resources and capabilities, while the private sector has the capability but lacks clear legal authority.
“The private sector has learned it has to explore the legality of doing it on its own,” said Chabinsky, because there hasn’t been sufficient dialogue between private companies and the government on how to proceed. “This discussion has to emerge,” said Chabinsky said, who was a deputy assistant director at the FBI before joining the cybersecurity firm CrowdStrike.
The strategy of tracking compromised data to identify intruders often is described as “active defense,” but panelist Stewart Baker said it might be more appropriate to call it passive-aggressive defense. A key concern is that the U.S. Computer Fraud and Abuse Act raises questions about whether a private concern may go out of its own network and break into outside systems to find its stolen data. A related issue, he said, is whether a company may put information into its system for the sole purpose of tracking where it goes in the case of a breach. And under many foreign laws, self-defense actions by private companies amount to espionage. Baker is a partner at Steptoe & Johnson, and a former general counsel for the National Security Agency.
Another reason for coming to terms with the so-called active defense issue, said Baker and Chabinsky, is that efforts to protect data from breaches are simply not working. “We’ve never had more secure operating systems, and at the same time, we’ve never been less secure,” Baker said. “We’ve tried to just fix all the holes, and that has failed. It’s like buying better body armor to go out and buy milk.”
Toward the end of the program, Chabinsky noted, “Well over a thousand companies probably have been intruded upon in the hour and 10 minutes we’ve been sitting here talking.”
Active defense is one of the issues on the agenda of the Cybersecurity Legal Task Force, which was created in August by the ABA Board of Governors at the request of President Laurel G. Bellows of Chicago, said Harvey Rishikof, who chaired the cybersecurity panel. Rishikof, a law professor at Drexel University, co-chairs the task force with Judith A. Miller, an attorney in Washington, D.C. The task force is working closely with 11 ABA sections and divisions that have committees looking at issues relating to cybersecurity.
Also see the special ABA Journal series featuring the work of the ABA Standing Committee on Law and National Security, especially:
What Is the Role of Lawyers in Cyberwarfare? by Stewart A. Baker and Charles J. Dunlap Jr.