HR 4036, the “Hack Back Bill”; Understanding Active & Passive Deterrence and the Escalation of Force Continuum. October 22, 2017
Posted by Chris Mark in cybersecurity, Uncategorized.Tags: cybersecurity, deterrence, escalation of force, force continuum, game theory, Hack Back, HR4034, john lott, john nash, rational actor, van neuman
2 comments
I wrote this original post several years ago but it seems to be more relevant now. As CNN reports HR4036…”…formerly called the Active Cyber Defense Certainty (ACDC) Act and informally called the hack-back bill – was introduced as an amendment to the Computer Fraud and Abuse Act (CFAA) last week. Its backers are US Representatives Tom Graves, a Georgia Republican, and Kyrsten Sinema, an Arizona Democrat.”
This is a bill that is sound in theory and terrible in practice. According to the Bill, (named ACDC) it would enable a company to take “..active defensive measures..” to access an attacker’s computer. This is only applicable in the US…Think about this for a minute. What is the evidence that I was the attacker of company A? Maybe (quite possibly…almost certainly) a hackers is using my system as a proxy. So some company can now attack my personal computer? What happened to “due process”?. If company X simply believes I am a hacker, they can access my personal data without a court order or any due process. More profoundly, the issues it raises pose very real and very direct risks to employees of the company who ‘hacks back’. This, I think, is unacceptable.
Having performed physical security in very real and very dangerous environments, I can personally attest to the fact that physical threats are real and difficult to prevent. By allowing a ‘hack back’ the company faces a very real risk of escalating the situation from the cyber domain into the physical domain. There is NO corporate data that is worth risking a human life.
Too often cybersecurity professionals forget that they are SECURITY professionals first and the same rules of deterrence, escalation of force and other aspects apply. Given this new Bill, I felt this was a good time to again discuss deterrence (active and passive) and once again talk about the Escalation of Force Cycle. So, what is deterrence? (warning…long post)..pic of the author off the cost of Somalia doing anti-piracy operations)
The History of Deterrence Theory:
The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper. Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1] In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2] While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3]
The application of deterrence during WWII was the beginning of understanding that an internal value calculus drives human behavior and that behavior could be formally modeled and predicted with some degree of accuracy. (more…)
Chris Mark Speaking at 2014 AT&T CyberSecurity Conference August 25, 2014
Posted by Chris Mark in Uncategorized.Tags: adaptive, AT&T, Chris Mark, cyber, deterrence, hack, PCI, risk, security, threat
add a comment
At 10 am on September 3rd, 2014 Chris (that is me) will be speaking at the 16th annual AT&T CyberSecurity Conference in New York City. My particular discussion will be on the Human Element of Security. From providing armed force protection in Mogadishu to unarmed security in a psychiatric ward through information security and anti-piracy work in the Gulf of Aden, I have learned that the underpinnings of security transcend all security domains. My presentation will hit on the concepts of rationality, Knightian uncertainty, parallax, proximate reality, change blindness, deterrence, and threat adaptation to provide tools CSOs can use to make more informed decisions about security.
Understanding Deterrence & Crime Prevention June 25, 2014
Posted by Chris Mark in Uncategorized.Tags: actor, Chris Mark, crime, criminal justice, deterrence, game theory, punishment, rational
3 comments
This following an excerpt from the 2012 research brief titled “Failed State of Security; A Rational Analysis of Deterrence Theory and Cybercrime.” I was recently provided a blog post by an ‘expert’ in which the author was again blaming the victim of a data breach while chiding companies for believing that they should not expect law enforcement to be there when you need them. The author misses a major purpose of the criminal justice system; Deterrence of criminal behavior. I late 2013 a US Senator stood in front of a Target store and blamed Target for their data breach. Interestingly, this senator did not state that the US should redouble efforts to deter cybercrime through more effective laws or more aggressive law enforcement actions. Until the laws and criminal justice system can begin to deter such behavior, cybercrime will continue to plague data industries. So what is deterrence?
An Overview of Deterrence Theory
Deterrence theory has applications in a variety of fields including military, and maritime security settings, foreign affairs, and in criminology, to name a few. While seemingly unrelated, when looked at closely, the similarities are apparent. Each these fields involve human decisions and humans that have the ability to behave and act in a manner contrary to the wishes of the other party. It is the ‘human element’ that is being modified by deterrent strategies.
History of Deterrence Theory
The concept of deterrence is relatively easy to understand and likely extends to the earliest human activities in which one early human dissuaded another from stealing food by employing the threat of violence against the interloper. Written examples of deterrence can be attributed as far back as the Peloponnesian War, when Thucydides wrote that there were many conflicts in which one army maneuvered in a manner that convinced the opponent that beginning or escalating a war would not be worth the risk.[1] In the 4th Century BC, Sun Tzu wrote: “When opponents are unwilling to fight with you, it is because they think it is contrary to their interests, or because you have misled them in to thinking so.”[2] While most people seem to instinctively understand the concept at the individual level, contemporary deterrence theory was brought to the forefront of political and military affairs during the Second World War with the deployment of nuclear weapons against Nagasaki and Hiroshima.[3] (more…)
”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014
Posted by Chris Mark in cybersecurity, Data Breach.Tags: active, active response, Chris Mark, cybercrime, cybersecurity, data breach, data security, deterrence, fight, InfoSec & Privacy, PCI DSS, response, security
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)
“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014
Posted by Chris Mark in Uncategorized.Tags: causality, cause, Chris Mark, compromise, crime, cybercrime, data breach, deterrence, hack, PCI DSS, security, Target, theft, victim blaming, victimization
add a comment
I am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security. In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity. You can download the article on IDGA’s website or on my own website here. This paper is part II of the “Failed State of Security” series. Started after the Target data breach, this topic is one that has always been close to me. In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.
Victim blaming is common in sexual assault, as well as other types of crimes. A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized. When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization. Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers. Did the company “cause” the breach? Were they somehow complicit in the attack? What do we mean when we say “cause”? What is a causal fallacy? These, and many more topics, are discussed in Part II of the “Failed State of Security” series. I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime. As always, I welcome any comments or debate on the topic…
Global Security, Privacy, & Risk Management 