Global Security, Privacy, & Risk Management

”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014

“Everyone has a plan until the’ve been hit” – Joe Lewis

Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28^th, 2013 there was an online discussion in which an author of the upcoming book:  The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added)

The description of the sentiments summarized in the statement above merit closer scrutiny. First, it is important to note that companies are inanimate organizations that do not feel ‘frustrated’ or have ‘wants’ or ‘desires’.  They are simply organizations that are owned and managed by people.  The desire to take action in response to a cyber-attack, while certainly appealing to some people on a visceral level, should be carefully considered by those who feel that retribution or retaliation is a good idea.   In fact, I would argue that the best offense is a proactive defense.

Although the term can be debated ad infinitum, security is fundamentally about the protection of assets through the influence of human behavior.  These assets can be digital, physical or even refer to the safety of people, or animals.   Within security the two fundamental principles of deterrence and compellence are used to influence behavior.  Deterrence is the use of influence to prevent an action.   Compellence is the counterpoint to deterrence and was coined by Thomas Shelling in his seminal 1966 book Arms and Influence.   Compellence can be described as the use of influence to create a desirable action.   Influence can be achieved through the threatened and actual use of force to either compel or deter behavior.  Fundamentally, security controls should be designed to either compel or deter behavior.

These two principles are not mutually independent.  Consider an armed guard standing in the lobby of a bank.  This guard both compels patrons to follow the rules, and deters undesirable actions such as attempted robberies.

Advocates of active response or offensive cyber actions often justify their position by correlating the cyber world with that of the physical world.   This is a mistake.  In the cyber world, with few exceptions, there is no danger to the safety of people.  While the theft of intellectual property may cripple a corporation financially, or embarrass them in the public domain there is no direct threat to the safety or security of human life.  It is a well understood security principle that controls should be commensurate with risk.  It is the principles of deterrence, compellence, and risk on which the concept of the force continuum is derived.

Developed in the 1980’s the Force Continuum outlines escalating steps that can be taken to either compel compliance or deter or prevent an undesirable act.  The general idea of a force continuum is an escalation of force from the absolute minimum and increasing until the highest level, often lethal force, is applied to counter the threat.  Below is one example of the Use of Force Continuum applied by many police and armed security forces:

1. Physical presence – This is the first step in the continuum and consists of the presence of an authority figure (ie. Police, security guard, etc.)
2. Verbal Commands – Stating with authority the action you want to person to take or not take
3. Empty hand Submission Techniques – If the person does not comply, then empty hand techniques can be applied
4. Intermediate Weapons – the use of baton, ASP, or pepper spray to subdue the actor
5. Lethal Force – The last step in the force continuum to be applied only after all else fails, depending on the severity of the circumstances.

At each step the criminal or suspect must make a determination as to whether their own action is worth an escalation of force by the police officer or guard.  Conversely, the police or guard must make a determination as to whether to escalate to another level of force to compel the criminal to comply and to deter further escalation.  The concept of escalation of force is only effective if there is a threat to the criminal of overwhelming retaliatory action if the escalation continues to the point where life is endangered.  It is important to observe the minimum force necessary to modify the behavior; and once the desired behavior is achieved, the level of force should de-escalate.

As stated, there is a very important difference between cyber security and physical security which seems to be lost on the advocates of offensive cyber action.  In the commercial world of cybercrime, the only real danger is that of data loss, corruption or availability.  In the physical world, the safety and security of people is the primary concern.  It is this difference that allows for the application of the force continuum in the physical world.

If the objective of active response to cybercrime is deterrence, then it is a flawed proposition.  Deterrence relies upon certainty, celerity, and severity to be effective.

–          Certainty refers to the belief the other side has that a result will occur.  This result may be arrest or, in the case of active response, some form of retaliation.

–          Celerity refers to the promptness of the threat being carried out.  To deter behavior there must be a correlation between the offending event and the response.

–          Severity is the most critical to deterrence and indicates the appropriate level of response to an action.  The expression “the punishment should fit the crime” is a classic example of severity being applied to deterrence.[3]

The force continuum is effective because the guards or officers have at their disposal overwhelming response capability (lethal force) to terminate the escalation of action.  While debating this point, recently, a person brought up the example of a Marine Security Guard working at an embassy.  This person’s point was that the security guards are constrained by rules of engagement which require them to go through the force continuum to protect the embassy personnel.  This is correct but the reason the guards are effective is because they have the ability and authority, if needed, to continue to escalate to a point of lethal force.

For companies operating in the cyber world, any responsive action could elicit a counter response which would escalate the situation and elicit a further response..  Companies do not have the ability to respond with overwhelming force in such a manner as to deter further escalation from a cyber attacker.  Consider the following example.  Company A is the victim of a Distributed Denial of Service Attack (DDOS) from a group in the far East.  The response of company A is to simply identify the group responsible in the public domain with the hope of causing embarrassment or shame.  The criminal group decides to escalate and responds by physically threatening the lives of the employees of Company A.  Company A now has no other options available to either deter further attacks or compel compliance with the law.  They have, in essence, started a fight they cannot win.  On a more fundamental level, companies have a responsibility to protect their employees.  Considering the example above, it seems irresponsible for a company to take an action that could result in danger to their employees.

In today’s world of increasing cybercrime, the temptation is to take action to respond in kind to an attack.  While this may be an appealing option on an emotional level, it is a very dangerous game for a company to play.  Ultimately, the US military and the US Government have the ability and authority to continue to escalate and respond with overwhelming force to compel compliance or deter deleterious actions.  Corporations do not.  Before embarking on an active response, it is important for companies to ask if they are starting a fight they cannot win.

The statement rather appears to be referring to the company’s employees who may feel bullied or victimized when their organization is breached and, in return, want retaliation.  Understanding that the purpose of security is to ‘protect’ an asset, one must question the objective of a retaliatory response.  Understanding this point, it is difficult to envision the value of retaliation within the commercial segment.  In summary, don’t start a fight you can’t win.

[1] http://www.honeynet.org/node/1048

[2] Honeypot.org; “Debating the Active Response Continuum; Defining the Terms of Debate”; Accessed May 28, 2013

[3] http://www.idga.org/intelligence/white-papers/a-rational-analysis-of-deterrence-theory-and-the-e/