Digitizing the Geneva Convention: Justice on the High (Cyber) Seas
By Jeff Bauer, CISSP
“Those unable to catalog the past are doomed to repeat it.”
–Lemony Snicket, A Series of Unfortunate Events
When navigating the pitfalls of network security and transnational issues, great insight can be achieved by reviewing historical precedents that evolve in response to changing conditions and technologies, such as the law of the sea.
Natural Law, Private War and Self-Defense
In 1603, ships of the United Dutch East India Company on a trading mission to the Spice Islands (Indonesia) were attacked and dispersed by Spanish warships. The admiral of the Dutch fleet proceeded on alone and upon arriving at his destination, learned that there had been another battle between some of his dispersed vessels and a Portuguese fleet. Subsequently, the Dutch admiral captured a large Portuguese ship, put the Portuguese crew ashore and sailed the vessel back to Holland where investors petitioned to have the Portuguese ship and its cargo declared a prize.
The legality of the capture of the Portuguese ship was questionable under prevailing international law in that the United Provinces were in a state of rebellion against their overlord, Philip III, King of Spain and Portugal. Under such conditions, the use of force would have been prohibited except in cases of self-defense, so while the Dutch were allowed to fight off an attack, capturing a Spanish or Portuguese vessel was illegal. The Portuguese subsequently sued for the return of their vessel and its cargo. To argue their case, the Dutch investors engaged a newly minted solicitor, Hugo Grotius. Grotius asserted that the sea was a common possession of mankind and by the common consent of nations, the rules of international commerce included freedom of trade and navigation. According to Grotius, it was a crime against natural law to monopolize something held in common. Grotius argued that Spain and Portugal had violated natural law and by their actions had declared a “private war” on the United Dutch East India Company; he reasoned that a trading company could legally engage in private warfare against other merchants or sovereign states because it not only had a right to trade, but an obligation to safeguard trade and defend its property. Grotius argued that the United Dutch East India Company was entitled to reparations, and in the absence of an effective independent judicial procedure, also had a moral obligation to defend not only its rights, but by extension, everyone else’s rights as well.
He contended that the injured party was entitled to receive the equivalent of the loss and expenses from those who had violated natural law by disrupting the free flow of commerce and attempting to defend an unnatural regional hegemony. Grotius contended that if there was no other source or process from which the injured party could properly receive compensation, then the plaintiff should be allowed to obtain satisfaction from any source whatsoever. Although the full treatise was not published in his lifetime, the shareholders were no doubt pleased when the Dutch courts ruled in their favor.
Regulating a Service Industry
In the late 1600s, the British established Vice Admiralty Courts—in essence, regional civil institutions—in their colonial possessions as a way of regulating commercial maritime activity. Admiralty judges were also empowered to issue Letters of Marque (to address a commercial violation during time of peace) and Reprisal (commissioning of a private vessel to plunder commerce of a hostile power with the strategic goal of disrupting their maritime activities), licenses that distinguished state-authorized plundering from piracy. In time of war, Vice Admiralty Courts also functioned as “prize courts” with the authority to condemn captured enemy ships and cargo.
After the American Declaration of Independence in 1776, the Continental Congress also licensed privateers to offset the paucity of regular American naval assets; with only 64 colonial naval vessels, the Americans needed their privateers more than the Europeans historically ever had. On the other hand, during the War of 1812, America’s privateers did not prevent the Royal Navy from sailing up the Potomac River and unloading troops, which then burned the new capital city, or intervene during the bombardment of Fort McHenry in Baltimore Harbor. John Adams bemoaned the fact that the privateers operated independently and could not be compelled to coordinate in a combined strategy; privateering was a better demonstration of the need for a legitimate naval capability than a substantive strategic concept.
In an August 29, 2016 letter to U.S. President Barack Obama just prior to the G20 Summit held in Hangzhou, China, U.S. senators recommended he raise the issue of cybercrime and call on the G20 leaders to commit to a “coordinated strategy to combat it.’’ Drawing on the ideas of Grotius, the internet, like the sea and air, could be considered common property, shared by all, who should also be privileged to engage and trade freely with one another across artificial boundaries. The congressional letter recognized that the problem of protecting internet commerce was global, so workable solutions would require an effective, independent regional/international civil adjudication procedure.
Modern ‘Letter of Marque’
A modern cyber “Letter of Marque” would perhaps accomplish what the original document did: establish an international warrant or seizure order issued by a multinational tribunal based on a rigorous, publicly presented examination of the facts, grounded on sound principles of civil judicial procedure, rendered by a panel of experts from a coalition of impartial international partners willing to cooperate to enforce the right of collective self-defense. The weapons of self-defense would be essentially financial, targeting the funds, credit and transactions of the transgressor(s) and seeking primarily to ensure that he who has suffered loss “receives or collects exact and equivalent indemnity” for all losses and expenses from the possessions of the attackers.
To bind the stakeholders to such a procedure, the tribunal would have to be just, open, impartial and transparent, as well as capable of withstanding cross-examination with a sound appeal mechanism. Access to this procedure should be open to all who participate, and if the attacker is unwilling to make due restitution and cannot be compelled by an ineffectual or unwilling national authority, then the injured party should properly receive compensation from any of the malefactor’s sources or from the assets of the ineffectual/unwilling national authority, with all the other participants obligated to facilitate in the reimbursement process.
Consider some more recent examples of cyber heists that carried big headlines and caused major headaches for victims.
- Public disclosure of more than 100 terabytes of Sony Pictures’ confidential information in November 2014 revealed a previously unknown hack that was later used by a hacker group calling itself “Guardians of Peace” to blackmail the entertainment giant into canceling screenings of its satirical comedy, The Interview, about a plot to assassinate the current North Korean leader, Kim Jong-un. Although U.S. intelligence and law enforcement identified North Korea as the likely sponsor of the attack and President Obama enacted additional sanctions against the already sanction-strangled regime, as a commercial enterprise responsible for defending its own information, Sony was largely on its own in dealing with the aftermath. It engaged cybersecurity firm FireEye to assess the damage, shield its employees from the personal data compromise and repair its infrastructure at a considerable cost. In the first quarter of 2015, Sony Pictures reportedly set aside $15 million for incident response, notwithstanding the potentially far costlier loss of income from leaked films and canceled releases.
- In late 2015, a bank in the Philippines and another in Vietnam, as well as a Bengali bank in February 2016, were the targets of online attacks. Security firm Symantec said the attackers used a unique piece of code, encryption algorithms and data deletion methods that had only been used in the Sony Pictures’ intrusion and in previous attacks on banks and media companies in South Korea. The thieves stole $81 million from the central bank of Bangladesh. FireEye reported similar attacks on eight other Asian banks.
- In August 2016, it was revealed that more hacks of the SWIFT global financial messaging system had been discovered at other institutions with some of the previously unknown attacks being successful, although no losses have been disclosed. In May 2016, some of the money from the Bangladesh cyber heist surfaced at Philippine casinos. On November 12, 2016, The Wall Street Journal reported that $15 million seized from the casino by Philippine authorities and held since May had been returned to Bangladesh, although the rest of the proceeds had disappeared into the Philippine casino industry, unlikely ever to be found.
- Reuters reported on a November 2, 2016 SWIFT message warning banks of the escalating threat to their systems. Subsequently, on December 2, The Wall Street Journal carried a news item on the theft of $31.3 million from a correspondent’s bank account at Russia’s central bank, which was able to recover some of the funds and provide attack details to Russia’s security forces.
In an August 2016 advisory, Deloitte noted the hidden impact of an incident could amount to 90 percent of the total response cost and may not be felt until more than two years after the event. A November 2016 study by IBM and the Ponemon Institute claimed 66 percent of organizations would be unable to fully recover from a cyberattack due to insufficient planning and the complexity of their systems and processes.
In 2015, the U.S. National Security Council issued a statement vowing to bring the perpetrators of the Sony attack to justice, but to date, nothing has happened. In April 2015, by executive order, President Obama delineated a sanctions program that allowed the U.S. Treasury secretary, in consultation with the attorney general and secretary of state, to target individuals and entities that engaged in cyberattacks or commercial espionage by freezing their assets and barring financial transactions. The April 2015 executive order specified that the aggressors would have to be harming the critical infrastructure, disrupting major networks, stealing intellectual property or benefiting from stolen trade secrets, and any case would have to be supported by evidence that could withstand a court challenge.
In 2015, the U.S. Congress also expanded the definition of the RICO (Racketeer-Influenced Corrupt Organization) statute, originally enacted to address the mafia, and later, drug cartels, to include offenses under the Computer Fraud and Abuse Act. The heart of RICO asserts that anyone involved in a criminal enterprise is responsible for the whole crime. RICO beefed up the Computer Fraud and Abuse Act with stiffer sentences, consecutive sentencing and forfeiture of proceeds. Additionally, on December 1, 2016, Congress granted the FBI authority to search multiple computers across the country, and internationally, based on a single search warrant. Previously, a search warrant could only be effected in the Federal Judicial District in which the judge approved the warrant.
Was the attack on Sony Pictures an act of war? No, arguably, this was probably a state-sponsored attack on a private corporation. The proportional response would not be a declaration of war or even a kinetic attack on some isolated North Korean target by the American military. The situation would not be improved by the loss of a single life on either side, the destruction of property or the further souring of a relationship that already threatens peace. Essentially, the appropriate remedy would not be a military one.
Was it a crime? Collecting sufficient information to attribute the assault to the North Korea regime that would satisfy U.S. standards of criminal evidence, and then, executing the sentence on that regime would have proved problematic. The prosecution rate for cybercrime worldwide is only 5 percent and there is no international treaty on cybercrime.
According to PricewaterhouseCoopers, “Ninety percent of large businesses have experienced a data breach in the last year,” with an average recovery cost of $5.4 million in the U.S., £2.37 million ($3.2 million) in the U.K., €3.52 million ($3.9 million) in Germany and €3.12 million ($3.5 million) in France. The World Economic Forum estimated the economic cost of cybercrime was around $3 trillion in 2016. In the next five years, Cyber Security Ventures, working with the Herjavec Group, expects the cost of cybercrime to double to roughly $6 trillion, with companies responsible for guarding about 50 times more data.
The European General Data Protection regulation, which comes into effect on May 25, 2018, will give victims the right to sue for up to 4 percent of a company’s previous year’s worldwide turnover as a penalty for losing personal data. At some point, the penalties will begin to stifle the commerce it was designed to facilitate. If a quantum computing capability is established as the European Telecommunications Security Institute (ETSI) warned in its recent white paper, “Quantum Safe Computing,” then all public key cryptographic schemes based on hard-to-solve mathematical problems will become obsolete, opening up systems to interception of or tampering with archived information. Clearly, a more forward-leaning response would help level the battlefield.
Global partners must be prepared to take on the technical and administrative responsibilities of the internet, and then, take the next leap to develop interlocked and mutually supportive tools allowing for a more robust response to threats to critical international commercial assets than current diplomatic and legal frameworks allow.
Jeff Bauer is an (ISC)² member located in The Midlands, United Kingdom.
5 Minutes with Kevin L. Jackson
An condensed version of this Q&A appears in the current issue of InfoSecurity Professional magazine.
Kevin L. Jackson is originally from Baltimore, Md., and now lives outside Washington, D.C., in Manassas, Va. He is the founder and CEO of GovCloud Network, LLC and blogs at “Cloud Musings” on the company website at http://blog,govcloudnetwork.com/. He has been an (ISC)2 member for two years.
1. What did you want to be when you were 10 years old?
Like just about everyone else who grew up in the ‘60s, I wanted to be an astronaut. That goal actually led me to the U.S. Naval Academy and becoming a naval aviator.
In 1994 I finally had enough of a resume to apply to the Space Shuttle program, but eventually was disqualified due to hypertension. It was a great ride while it lasted though.
2. When did you know you wanted to work in information security instead?
My information technology career was actually spawned by my infatuation with space. After flying on and off aircraft carriers I became an Aerospace Engineering Duty Officer with the Navy Space Technology Program, working on satellites and global communications networks. That led to my computer engineering degree and eventually e-business with IBM and finally, cloud computing security.
3. Do you think it’s more difficult or easier now to become an information security specialist? (And why?)
It’s much more difficult now because of the breath of technology, sophistication of the threat, and the intertwining of business, economic and social interactions.
4. You specialize in the cloud, right? Briefly, how are cloud technologies evolving?
Cloud computing has evolved from being an IT option, to being the leading model for delivering and consuming IT services. It has also grown from being just about IT, to being the engine of innovation across just about every industry.
5. And in that evolution, is it becoming easier or harder for cybersecurity professionals to protect the data being delivered, stored and extracted from cloud services?
Most cybersecurity professionals grew up in a world where they essentially made all the decisions. They determined the threat, evaluated and selected protective technologies, deployed and configured the boxes, and managed the infrastructure until the recap budget started the cycle over again. This was an “infrastructure-centric” security model that relied on the use of trusted networks and people.
Cloud computing is completely different. The first rule of cloud is to never trust the infrastructure because that’s the purview of the cloud service provider. In today’s world, you really don’t know where your data may need to go. This necessitates the adoption of a “data-centric” security model that depends on data classification, encryption at rest and in motion, and tight enterprise IT governance. Change is always hard but this represents a sea change in IT security.
6. What is it like working as a government contractor?
Government contracting is all about serving your agency’s constituents in an economically defensible manner. Even though revenue and profit is the business goal, success only comes if your customer-agency accomplishes its mission-related goal.
7. What is one tip you’d give to others seeking to work with a government agency?
Know the agency mission. Focus on the agency mission. Become a trusted advisor.
8. What keeps you up at night?
Cybersecurity today is not a technology battle between the good guys and the bad. It is a mundane, boring and tedious task of following well known best practices, educating users and paying attention to the details. I fear that by getting bored and lax with these fundamentals, the collective “we” will just let Mr. Black Hat walk right in. Thinking about that keeps me up both night and day.
9. Where do you see cloud technologies and services heading? Will it even be known as “the cloud” by 2020 or beyond?
As a term of art, “cloud” will lose its ability to distinguish anything in IT because everything will be “cloud.” It’s also important to note that cloud isn’t a single entity. The term represents an IT services ecosystem designed to meet specific business, mission or personal needs. This reality is driving the need for better cloud ecosystem design capabilities, and as an industry we need to get away from using PowerPoint, Excel and Visio as our primary cloud design tools.
10. If you had to recommend a time for someone to come visit your area, what time of year would you recommend? (And why?)
The DC metro area is best in the spring! Visit the monuments and Smithsonian before the tourists arrive, enjoy the cherry blossoms in the Tidal Basin and catch the Wizards, Capitals or Nationals chasing after the championship. That’s also when the international nature of the city is most obvious as the cultural festivals kick off for the summer.