I loved being a firefighter. In what other job do you get to speed around running red lights, chops someone’s door down with an axe, pull down their ceiling, rip down their walls, cut holes in their roof with a chainsaw, soak everything they own with water, and then have them stop by the office a few days later to give you the cookies they baked for you.
Now, if you try and do any of those things when you’re off duty and the house isn’t on fire, you tend to go to jail. But on duty and on fire? The police will arrest the homeowner if they get in your way.
Society has long accepted that there are times when the public interest outweighs even the most fundamental private rights. Thus I think it is long past time we applied this principle to cybersecurity and authorized appropriate intervention in support of national (and international) security.
One of the major problems we have in cybersecurity today is that the vulnerabilities of the many are the vulnerabilities of everyone. All those little unpatched home systems out there are the digital equivalent of burning houses in crowded neighborhoods. Actually, it’s probably closer to a mosquito-infested pool an owner neglects to maintain. Whatever analogy you want to use, in all cases it’s something that, if it were the physical world, someone would come to legally take care of, even if the owner tried to stop them.
But we know of multiple cases on the Internet where private researchers (and likely government agencies) have identified botnets or other compromised systems being used for active attack, yet due to legal fears they can’t go and clean the systems. Even when they know they have control of the botnet and can erase it and harden the host, they legally can’t. Our only option seems to be individually informing ISPs, which may or may not take action, depending on their awareness and subscriber agreements.
Here’s what I propose. We alter the law and empower an existing law enforcement agency to proactively clean or isolate compromised systems. This agency will be mandated to work with private organizations who can aid in their mission. Like anything related to the government, it needs specific budget, staff, and authority that can’t be siphoned off for other needs.
When a university or other private researcher discovers some botnet they can shut down and clean out, this law enforcement agency can review and authorize action. Everyone involved is shielded from being sued short of gross negligence. The same agency will also be empowered to work with international (and national) ISPs to take down malicious hosting and service providers (legally, of course). Again, this specific mission must be mandated and budgeted, or it won’t work.
Right now the bad guys operate with impunity, and law enforcement is woefully underfunded and undermandated for this particular mission. By engaging with the private sector and dedicating resources to the problem, we can make life a heck of a lot harder for the bad guys. Rather than just trying to catch them, we devote as much or more effort to shutting them down.
Call me an idealist.
(I don’t have any digital pics from firefighting days, so that’s a more-recent hazmat photo. The banda
a is to keep sweat out of my eyes; it’s not a daily fashion choice).
Reader interactions
10 Replies to “A Small, Necessary, Legal Change For National Cybersecurity”
@Rich – nice idea but using Government will beat with a reaction sikilar to what Rob is saying.
Fire departments are in place nowdays because the Government realised that we would be screwed without them. But, (I’‘m not a history buff so take a pinch of salt here) they started by people loosely getting together to protect themselves. So, with that in mind it may be worth starting community projects to help people out with their PCs. Every second Tuesday you get your neighbors together and distribute patches and talk about security.
Alternatively, get the ISPs to do a sorta large scale NAC. If they detect suspicious traffic from your line then they put you on a limited access network where all you can get to is the microsoft patching site and antivirus update sites. Once you sort yourself out then they put you back on the unlimited Internet. (This can be automated). Of course, all ISPs would need to buy into this or people will just change ISPs.
This idea sounds fantastic. Anyone who is concerned about someone looking on their computer very likely has something to hide. Once you get past the idealist view of individual rights taking importance over the good of the community your reason may start to kick in. If anything I would call you pragmatic and the people protecting individual rights over the good of the community as idealists. If you don’‘t want someone looking at your hard drive you either have a) illegal music/movies/tv – no excuse fellas, seriously b) child porn (I’‘d say shoot the man on the spot) c) political views, which in this country our government is tolerant of any kind (i.e. infowars, prisonplanet still existing).
In my mind the question is are you willing to sacrifice a little privacy for the betterment of the community. I certainly am, and I have nothing to hide.
Very interesting topic. I believe as well it is ultimately idealistic, but possibly has roots in something with some tweaking could work. The problem I see is having private and public entities reacting together, I guess you could see a couple of stigmas here.
You have private industry who would be very agile but could also be careless and could lead to corruption, how about I have company A which I own see a problem on your infected machine … I know its there, because I put it there and I know I can get rid of it and make a few bucks in the process.
Government could generally be viewed as once an agency was enacted and operational it may not have the agility to deal with threats in a timely fashion. Which I concede that a slow delivery is better than no delivery.
At first I liked the snow shoveling example posted above, but after a minute or two I really don’‘t feel it accurately applies here. First you have snow, a threat that you probably saw coming a few days at least in advance. It snowed, and it doesn’‘t take too much brain power to shovel the walk (maybe a strong back). There is still something mystical about the computer and its inner workings to most people, a fact that keeps most of us gainfully employed no matter what your discipline is.
I would liken it to the fact that say you don’‘t tune up your car on a regular basis and it begins to put more pollutants in the air. But I say, there will be a watch dog agency that goes out and regularly tests cars CO2 levels and once someone has been found in violation, they are immediately required to goto a station to get said tune-up. What would be the incentive to ever make sure your car is properly maintained. Sooner or later someone will take care of it for you. Which doesn’‘t solve the problem.
Back to the botted computer network. Two ways I can think of right now to realistically solve it. One, be manufactured in, i.e. a system that cannot be compromised (probably just as likely as building a combustible gas engine that won’‘t ever need tuneups). Two, make people liable for the actions of their botted computers. If you were negligent in reasonably securing your computer then maybe you lose out on ice cream day at work or something I dunno.
Ultimately, we want people to care enough to protect themselves. Right now “Sally” doesn’‘t care if her PC is used in a DDos just so long as she can still get her webmail and browse Amazon.
@rich:
i’‘m not sure the good it would do would outweigh the bad… when 1,000,000 people suddenly have no operating system, what do you think will happen? steve balmer is already balding, the rest of his hair would be gone the instant microsoft started receiving support calls from all the victims… and that’s just the home users…
what happens when some of those machines are in the enterprise? or in government or military? what if they’‘re part of critical infrastructure? worse still if it’s in such machines in other countries – taking down the botnet could cause an international incident…
self-destructing botnets are something i wouldn’‘t want to touch with a 10 foot pole…
I’‘m not talking about cops acting, but the review for others you suggested:
That isn’‘t the role of an enforcement agency, but a court.
In cop terms, though, for the enforcement agency to do its own cleanup (the other, organizationally simpler, part of what you suggested), they’‘d need something fast & streamlined like a FISA Court or a standing authorization. Now I said “FISA Court”, and I’‘m giving myself a headache. Time to go lie down.
Chris,
Cops act all the time… you don’‘t need a judge to arrest someone, or stop a crime in progress, or enter a private home when there is a clear risk/threat, and so on. I don’‘t see this being much different.
Totally agree that RIAA would try and subvert this (since they’‘ve already tried to get similar laws passed). I hadn’‘t thought about that, but I also don’‘t see an alternative. The current model definitely doesn’‘t work.
Thanks Kurt,
I agree- that’s my biggest concern. On the other hand, from a public good perspective that would, in the end, have an overall positive benefit. First, the vulnerable systems are taken down. Second, the outrage might wake people up again, as in the days when viruses weren’‘t stealthy. It’s a totally cold way at looking at the problem, but it’s hard to see alternatives anymore.
Or am I just being cruely idealistic?
@Pamela… and you’‘re calling *me* an idealist? 🙂
Notification just won’‘t work- how do you track down and notify a few million people? The logistics are staggering, and that’s been tried. I think at the point where someone’s system is clearly being used to attack others a system like this can reasonably be engaged, even if there is some collateral damage. Maybe sometimes we can do some sort of pop up notification, but that itself is a system modification and would require a legal precedent to be allowed.
Rich,
It sounds like you’‘re conflating cops with judges. Cops (enforcement agencies) don’‘t decide if action is needed; they advocate action, and a judge decides if it’s appropriate. In the case of security researchers, an enforcement agency is probably not the right group to decide if they can or should proceed.
Maybe we should start with government computers. If an “outside” (but still federal) agency could do a good job cleaning up LANL and various hacked federal sites and networks, then they could use federal funding as an approach to universities and other organizations that take federal funding. If that works, we can consider general access for those white hats (with sixguns).
Problem: The RIAA/MPAA would love this, and they would put tremendous effort (dollars) into subverting it into an anti-piracy arm. This has already happened to the FBI.
Pamela,
The problem here is speed. You can warn someone over a period of weeks or months about shoveling, but if you give computer owners a few weeks, you would often miss the opportunity to have any benefit, as the user might wipe or replace their PC, or another piece of malware might take up residence, and the original proscription for cleaning could be ineffective or damaging.
Also, you’‘d have to go through ISPs to notify users, which drags out the notification process, and (unless you’‘re going to give the RIAA/MPAA their dirty fantasy of consumer liability easily linked to IP addresses), there’s a whole confidentiality problem that needs careful attention before your messages can reach the users.
you make a compelling argument – botted machines are a public security hazard and some hazards are grievous enough to warrant unauthorized intervention…
i instinctively rebelled against this notion because i don’‘t like the idea of authorities mucking around on my computer out of some potentially misguided notion that they know better than i do… but i can’‘t find any flaw in the applicability of your analogy…
the only problem i foresee is that if the bad guys can’‘t hide their creations behind legal red tape then they’‘ll hide them behind something equally compelling, like commands to self-destruct and wipe the host machines (to get rid of evidence and also to just be mean) if the network is tampered with… this switch from legal to technical controls may mirror anti-tampering efforts in other domains… if they can figure out a way to make killing the botnet do more harm than good then it will be equivalent to the situation we’‘re in now and no change in law will affect such a technological adaptation…