In the fight against cyber crime, while exciting technological advances and major data heists often steal the spotlight, most of the effective actions taken against cyber criminals have taken place in court.
Writing about the Waledac botnet take-down on Microsoft’s Malware Protection Center blog, program manager Jeff Williams opined, “we’ve also learned from this experience that our legal action has been successful in helping to sever to the command and control communications for Waledac at the domain level thus far…Our goal with this lawsuit is to help promote a safer, more secure Internet, and we will continue to work toward that aim as we move forward in the case.”
Also, in February of this year, Spanish police arrested the administrators of the Mariposa botnet, using a combination of high-tech forensics and cooperation with law enforcement. After one of the cyber criminals connected to the botnet directly from his home computer instead of via virtual private network (a highly secure way of masking a computer’s IP address), authorities traced him to his home in Spain and arrested him.
According to Lt. Gen. Harry Raduege, Chairman of Deloitte’s Center for Cyber Innovation, the problem of attribution is not normally a technological one. “The hardest barriers with respect to attribution stem from legal, policy and cultural implications.”
Raduege says an effective deterrent in cyberspace is “to hold bad actors accountable for their actions. Last week, the Boston federal court sentenced Albert Gonzalez, a notorious cyber criminal, with two concurrent 20-year sentences and three years of supervised release without any access to computers and a $25,000 fine. This is a clear signal to anyone that cyber crime is taken seriously by law enforcement officials who are highly trained and capable of investigating this type of crime, apprehending suspects, and sentencing guilty parities. Indeed, cyberspace does not offer sanctuary for criminal activity; just ask Albert Gonzalez. He should have plenty of time to respond but only through non-cyber means.”
While the majority of cyber attacks involve data theft for profit, the question remains what changes legally when the data stolen is not bank account information but classified defense technology: what constitutes an act of cyber war? Raduege offers, “An act of war in cyberspace is relative in nature. If you are working in a network operations center, you’re at war every day against the myriad of cyber attackers who wage war against your smoothly functioning information network domain. At the other end of the spectrum however, at the national level, war is considered to be in effect when the national will of one nation is negatively affected by the attacks of another nation.”
The debate surrounding security in cyberspace is parallel to the debate surrounding civilian court trials for terrorists like Khalid Sheikh Mohammed: it’s unclear when DoD, DHS, DOJ or local law enforcement needs to step in or step aside. In the recent CyberShockwave cyber drill, Fran Townsend, playing the role of secretary of Homeland Security, advocated for ceding her authority to the DoD and supporting them in a “homeland defense” model rather than homeland security, and participants discussed nationalizing power companies and service providers if they failed to act in the national interest.
When is it appropriate to retaliate in cyberspace and when should governments litigate? Raduege comments, “One could argue that both the threat of cyber retaliation and the threat of litigation have distinctive qualities as cyberspace deterrent options. Whether you work in government or industry, it’s always best to have various options available. Choices always keep your enemies or competition guessing.”