Global Security, Privacy, & Risk Management

HR 4036, the “Hack Back Bill”; Understanding Active & Passive Deterrence and the Escalation of Force Continuum. October 22, 2017

I wrote this original post several years ago but it seems to be more relevant now.   As CNN reports HR4036…”…formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.”

This is a bill that is sound in theory and terrible in practice.  According to the Bill, (named ACDC) it would enable a company to take “..active defensive measures..” to access an attacker’s computer.  This is only applicable in the US…Think about this for a minute.  What is the evidence that I was the attacker of company A?  Maybe (quite possibly…almost certainly) a hackers is using my system as a proxy.  So some company can now attack my personal computer?  What happened to “due process”?.  If company X simply believes I am a hacker, they can access my personal data without a court order or any due process.  More profoundly, the issues it raises pose very real and very direct risks to employees of the company who ‘hacks back’.  This, I think, is unacceptable.

Having performed physical security in very real and very dangerous environments, I can personally attest to the fact that physical threats are real and difficult to prevent.  By allowing a ‘hack back’ the company faces a very real risk of escalating the situation from the cyber domain into the physical domain.  There is NO corporate data that is worth risking a human life.

Too often cybersecurity professionals forget that they are SECURITY professionals first and the  same rules of deterrence, escalation of force and other aspects apply.  Given this new Bill,  I felt this was a good time to again discuss deterrence (active and passive) and once again talk about the Escalation of Force Cycle.  So, what is deterrence? (warning…long post)..pic of the author off the cost of Somalia doing anti-piracy operations)

The History of Deterrence Theory:

The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper.  Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1]  In the 4^th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2]  While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3]

The application of deterrence during WWII was the beginning of understanding that an internal value calculus drives human behavior and that behavior could be formally modeled and predicted with some degree of accuracy.  By the mid-1940s and through the 1950’s John Van Neuman and, later Nobel Prize recipient John Nash (a Beautiful Mind), developed the mathematical models of Game Theory, which addresses human rationality and decision making.  Game theory and the concepts that underlay game theory are inextricably entwined with deterrence.  Game theory is defined as: “the study of mathematical models of conflict and cooperation between intelligent, rational decision makers.”[4]  By 1962 game theory and its underlying principle of the Rational Actor Model (RAM) was put to real world use during the Cuban Missile Crisis.  In this instance the Nash Equilibrium[5] was employed to predict that the Soviet Union would not escalate the crisis by attempting a run of the US Naval Blockade.  The clearest evidence of the value of deterrence can be seen in Nikita Krushchev’s own words when he warned colleagues that they were: “face to face with the danger of war and of nuclear catastrophe, with the possible result of destroying the human race.”  He went on to say: “In order to save the world, we must retreat.”[6]

The concept of deterrence is synergistic with the concepts of the rational actor model and game theory.  Today, rational deterrence theory has application to, and is frequently employed in, national defense, tactical military operations, counterinsurgency, counter terror, law enforcement, security, and numerous other areas where the predictable understanding of human behavior plays a crucial role.

Key Concepts of Deterrence Theory

USAF General Kevin Chilton (2009) accurately describes deterrence theory when he says:

“deterrence is ultimately about decisively influencing decision making.  Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[7] 

This single sentence encompasses the two underpinnings of deterrence; rational choice and risk management.

Rational Actor Model (RAM)

Deterrence and game theory rely upon the premise that people are rational actors. The Rational Actor Model is based on the rational choice theory which posits that humans are rational and will take actions that are in their own best interests.  Each decision a person makes is based upon an internal value calculus that weighs the cost and the benefits of an action.  By altering the cost-to-benefit ratios of the decisions, decisions, and therefore behavior can be changed accordingly.  While the concept is simple in theory, it can be somewhat more complex in practice.  It should be noted at this point that ‘rationality’ relies upon a personal calculus of costs and benefits.  When speaking about the rational actor model or deterrence, it is critical to understand that ‘rational’ behavior is that which advances the individual’s interests and, as such, behavior may vary among people, groups and situations.  For this reason, it is impossible to prevent all crime through deterrence.  Some people will simply weigh the pros and cons of committing a crime and determine it is ‘worth the risk’ based upon their personal value calculus.

While some criminologists dispute RAM in favor of other models, anecdotally it is difficult to argue with the value of the model.  In The Management of Savagery by Al Qaeda strategist Abu Baker Naji, he directs planners to weigh the “benefit and harm” of differing actions.[8]   This clearly indicates a rational model where a cost benefit calculus is being applied to the operations of a terrorist organization.  George Habash of the Popular Front for the Liberation of Palestine was quoted as saying: “The main point is to select targets where success is 100% assured.”[9]  This, again, echoes the model of risk management and a rational model of decision making.  While the previous quotes are attributed to terrorist organizations or those associated with terrorist origination, the concept repeats in all areas of behavior, including cybercrime.

In his seminal work More Guns Less Crime, economist John Lott discusses burglary rates in Canada, the United Kingdom, and the United States.  In Canada and the UK, where gun control laws are strict, almost half of all burglaries are classified as “hot,” meaning someone was in the house when the burglars committed the crime.  In the US, where gun ownership is more prevalent, “hot” burglaries only account for about 13% of all burglaries.  As Lott explains: “criminals are not behaving differently by accident.”  Surveys of convicted felons indicate that the felons are much more worried about armed victims in the homes then they are about the police.  In interviews about why they did not break into a house when someone was home, the recurring them among criminals was: “that’s the way to get shot.”[10]  While these examples demonstrate that people do weigh costs and benefits to criminal decisions, it is obvious that the challenge lies with understanding the internal, personal value system of the criminal, which varies from individual to individual.  The RAM provides a very good theoretical model from which to work, but is not sufficient to address all known variables.

When considering crime, studies indicate that deterrence does play a role.  As stated by Lott:

“Overall, my conclusion is that criminals as a group tend to behave rationally when crime becomes more difficult, less crime is committed. Higher arrest and conviction rates dramatically reduce crime.”[11]

This is consistent with research that shows that, in general, non-violent criminals and those seeking monetary rewards are more likely to qualify as rational actors. It is then logical that cybercriminals, generally drawn by monetary greed, may be classified as rational actors.  For this reason, it is suggested that the use of deterrent strategies would have a predictable impact on cybercrime.[12]

The Three Components of Deterrence

For any form of deterrence to be effective, it must be based upon the three principles of certainty, celerity, and severity.  Certainty applies to the criminal’s belief in the likelihood of the threat (whether arrest, punishment or retribution) being carried out.  Studies suggest that a certain, consistent level of certainty must be achieved to produce desired consequences.  In short, if a law is all bark and no bite, the threat of a bite will have no impact on the cost benefit analysis.  Logically, if a criminal perceived a certainty of retribution, the criminal would calculate the risk of the crime differently than if they felt it was unlikely the threat would be carried out.  The result is a greater deterrent effect.

Celerity applies to the promptness of the threat being carried out. If there is the threat of immediate action as opposed to the threat of action at some point in the distant future, the deterrent will have greater effect.  Even if the likelihood of the punishment is 100%, if there is no immediate threat of retribution, there will be a decreased level of deterrence.   This can be seen in the statements of the criminals interviewed about “hot” burglaries where they indicated a fear of immediate retribution in the form of an running into angry, armed homeowner during the course of the burglary more than they feared eventual arrest and punishment.

Finally, the severity of punishment is critical to any deterrent.  Most are probably familiar with the statement:  “the punishment must fit the crime”.  The increase in severity has a correlation to the effectiveness of the deterrent.  In short, the greater the severity of the action, the less likely the prospective criminal is to perpetrate the act.  An easy way to show the correlation is through the traditional model of risk analysis.[13]

Active and Passive Deterrence

Understanding that deterrence is about modifying human behavior, we can further categorize deterrence into Passive and Active.

Passive Deterrence – Often called ‘defense’ Sico Von De Meer says: ” The most obvious way to deal with cyber threats is making such attacks more difficult for potential attackers by improving the security of cyber technology systems.” In short, Mr. Von De Meer is stating that by increasing the ‘cost’ of completing the action, the person is passively deterred.  This is consistent with the Rational Actor Model described previously.  You raise the proverbial bar higher than a person is willing to jump to achieve their objectives. 

Active Deterrence– By contrast is described by De Meer when he says: “Active deterrence implies deterring potential cyberattackers by the possibility of retaliation.” In this model, an actor is deterred from taking aggressive action by the potential of retaliation.  Again, it requires the belief in Certainty, celerity and severity to deter the unwanted action.

The Force Continuum and Escalation of Force Doctrine

As cyberattacks continue to plague American companies there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  It is nothing more than ‘Active Deterrence’ as described above.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28^th, 2013 there was an online discussion in which an author of the upcoming book:  The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added)

The description of the sentiments summarized in the statement above merit closer scrutiny. First, it is important to note that companies are inanimate organizations that do not feel ‘frustrated’ or have ‘wants’ or ‘desires’.  They are simply organizations that are owned and managed by people.  The desire to take action in response to a cyber-attack, while certainly appealing to some people on a visceral level, should be carefully considered by those who feel that retribution or retaliation is a good idea.   In fact, I would argue that the best offense is a proactive defense or ‘passive deterrence’.

Although the term can be debated ad infinitum, security is fundamentally about the protection of assets through the influence of human behavior.  These assets can be digital, physical or even refer to the safety of people, or animals.   Within security the two fundamental principles of deterrence and compellence are used to influence behavior.  Deterrence is the use of influence to prevent an action.   Compellence is the counterpoint to deterrence and was coined by Thomas Shelling in his seminal 1966 book Arms and Influence.   Compellence can be described as the use of influence to create a desirable action.   Influence can be achieved through the threatened and actual use of force to either compel or deter behavior.  Fundamentally, security controls should be designed to either compel or deter behavior.

These two principles are not mutually independent.  Consider an armed guard standing in the lobby of a bank.  This guard both compels patrons to follow the rules, and deters undesirable actions such as attempted robberies.

Advocates of active deterrence or offensive cyber actions often justify their position by correlating the cyber world with that of the physical world.   This is a mistake.  In the corporate cyber world, with few exceptions, there is no danger to the safety of people.  While the theft of intellectual property may cripple a corporation financially, or embarrass them in the public domain there is no direct threat to the safety or security of human life.  It is a well understood security principle that controls should be commensurate with risk.  It is the principles of deterrence, compellence, and risk on which the concept of the force continuum is derived.

Codified in the 1980’s the Force Continuum outlines escalating steps that can be taken to either compel compliance or deter or prevent an undesirable act.  The general idea of a force continuum is an incrimental escalation of force from the absolute minimum and increasing until the highest level, often lethal force, is applied to counter the threat and deter the unwanted behavior. Below is one example of the Use of Force Continuum applied by many police and armed security forces:

1. Physical presence – This is the first step in the continuum and consists of the presence of an authority figure (ie. Police, security guard, etc.)
2. Verbal Commands – Stating with authority the action you want to person to take or not take
3. Empty hand Submission Techniques – If the person does not comply, then empty hand techniques can be applied
4. Intermediate Weapons – the use of baton, ASP, or pepper spray to subdue the actor
5. Lethal Force – The last step in the force continuum to be applied only after all else fails, depending on the severity of the circumstances.

At each step the criminal or suspect must make a determination as to whether their own action is worth an escalation of force by the police officer or guard.  Conversely, the police or guard must make a determination as to whether to escalate to another level of force to compel the criminal to comply and to deter further escalation.  The concept of escalation of force is only effective if there is a threat to the criminal of overwhelming retaliatory action if the escalation continues to the point where life is endangered.  It is important to observe the minimum force necessary to modify the behavior; and once the desired behavior is achieved, the level of force should de-escalate.

As stated, there is a very important difference between cyber security and physical security which seems to be lost on the advocates of offensive cyber action.  In the commercial world of cybercrime, the only real danger is that of data loss, corruption or availability.  In the physical world, the safety and security of people is the primary concern.  It is this difference that allows for the application of the force continuum in the physical world.

As stated previously, if the objective of active response to cybercrime is deterrence, then it is a flawed proposition.  Deterrence relies upon certainty, celerity, and severity to be effective.

–          Certainty refers to the belief the other side has that a result will occur.  This result may be arrest or, in the case of active response, some form of retaliation.

–          Celerity refers to the promptness of the threat being carried out.  To deter behavior there must be a correlation between the offending event and the response.

–          Severity is the most critical to deterrence and indicates the appropriate level of response to an action.  The expression “the punishment should fit the crime” is a classic example of severity being applied to deterrence.[3]

The force continuum is effective because the guards or officers have at their disposal overwhelming response capability (lethal force) to terminate the escalation of action.   Any response initiates the force continuum cycle and creates a situation in which the party that is able and willing to continue to escalate will win.

While debating this point, recently, a person brought up the example of a Marine Security Guard working at an embassy.  This person’s point was that the security guards are constrained by rules of engagement which require them to go through the force continuum to protect the embassy personnel.  This is correct but the reason the guards are effective is because they have the ability and authority, if needed, to continue to escalate to a point of lethal force.

For companies operating in the cyber world, any responsive action could elicit a counter response which would escalate the situation and elicit a further response..  Companies do not have the ability to respond with overwhelming force in such a manner as to deter further escalation from a cyber attacker.  Consider the following example.  Company A is the victim of a Distributed Denial of Service Attack (DDOS) from a group in the far East.  The response of company A is to simply identify the group responsible in the public domain with the hope of causing embarrassment or shame.  The criminal group decides to escalate and responds by physically threatening the lives of the employees of Company A.  Company A now has no other options available to either deter further attacks or compel compliance with the law.  They have, in essence, started a fight they cannot win.  On a more fundamental level, companies have a responsibility to protect their employees.  Considering the example above, it seems irresponsible for a company to take an action that could result in danger to their employees.

In today’s world of increasing cybercrime, the temptation is to take action to respond in kind to an attack.  While this may be an appealing option on an emotional level, it is a very dangerous game for a company to play.  Ultimately, the US military and the US Government have the ability and authority to continue to escalate and respond with overwhelming force to compel compliance or deter deleterious actions.  Corporations do not.  Before embarking on an active response, it is important for companies to ask if they are starting a fight they cannot win.

The statement rather appears to be referring to the company’s employees who may feel bullied or victimized when their organization is breached and, in return, want retaliation.  Understanding that the purpose of security is to ‘protect’ an asset, one must question the objective of a retaliatory response.  Understanding this point, it is difficult to envision the value of retaliation within the commercial segment.  In summary, don’t start a fight you can’t win.

References

[1] Alexander L. George, Richard Smoke (1974).Deterrence in American Foreign Policy: Theory and Practice. Columbia University Press. P 84

[2] Greene, Robert. (2006) The 33 Strategies of War. Viking Penguin.  P 135

[3] Taquechel, Eric F. (Feb 17, 2012). Validation of Rational Deterrence Theory: Analysis of U.S. Government and Adversary Risk Propensity and Relative Emphasis on Gain or Loss. Kindle Edition. (Kindle Locations 561-563)

[4]http://en.wikipedia.org/wiki/Game_theory

[5]http://en.wikipedia.org/wiki/Nash_equilibrium

[6] Allison, Graham (1971). Essence of Decision: Explaining the Cuban Missile Crisis, 1ed. Little Brown. P 362

[7]Chilton, Kevin. (2009) “Waging Deterrence in the Twenty First Century”; Strategic Studies Quarterly

[8] Naji, Abu Bakr. The Management of Savagery, the Most Critical Stage Through Which The Umma Will Pass. Translated by William McCants, http://www.wcfia.harvard.edu/olin/images/Management%20of%20Savagery%20-%2005-23-2006.pdf P 106

[9] Jackson, Brian A.; Morral, Andrew R. (Dec 7, 2009) Understanding the Role of Deterrence in Counterterrorism Security. RAND Corporation. Kindle Edition. (Kindle Locations 111-117).

[10] John R. Lott Jr. More Guns, Less Crime: Understanding Crime and Gun Control Laws, Third Edition (Studies in Law and Economics) University of Chicago Press. Kindle Edition. (Kindle Locations 135-138).

[11] Lott, 2011

[12] Turrini, Elliot (2010) “Increasing Attack Costs & Risks and Reducing Attack Motivations,” Cybercrimes: A Multidisciplinary Analysis. Ghosh and Turrini, eds.  Springer-Verlag. Pp365-375

[13]http://www.ncjrs.gov/App/Publications/abstract.aspx?ID=27596

[14] V. Clarke, “Situational Crime Prevention: Its Theoretical Basis and Practical Scope,” Crime and Justice Vol. 4 (1983): Issue 1. Pp 225-256.