Beruflich Dokumente
Kultur Dokumente
PROFESSOR EICHENSEHR
SPRING 2015
Print: CFAA, Budapest Convention, EEA, Geneva Convention, Cal. Data Breach Law, SEC
Disclosure Guidelines
1. INTRO
a. Sony Hack
i. Timeline
1. June
a. North Korea makes negative comments about the Interview
2. November
a. Discovery of Sony hack (Nov. 24, 2014)
i. Sony realized that their systems have experienced a
breach
ii. Message regarding Sonys CEO was displayed on
every internal computer
b. Contacted law enforcement within a few days of the
discovery of the initial breach
c. First data dump (Nov. 27, 2014)
i. Stolen movies (Annie, James Bond, etc)
3. December
a. Threatening email sent to all of Sonys employees (Dec. 05,
2014)
b. The Interview is referred to in the hackers communications
(Dec. 08, 2014)
c. Warnings sent out to media outlets by Sony in regards to
the information dumps (Dec. 14, 2014)
i. Hired on lawyer David Boyce to manage the media
attention
d. Threats are communicated to theaters against showing the
Interview (Dec. 16, 2014)
e. Major cinemas begin dropping the Interview (Dec. 17,
2014)
i. CEO Linton makes statement that they have no
further release plans for the movie
f. Identification of North Korea as the perpetrator by the FBI,
statement issued (Dec. 19, 2014)
i. Obama reprimands Sony for pulling the movie
1. Restriction on American freedom of speech
2. Promises proportional response on the part of
the US
ii. Secretary of State Kerry condemns North Korea for
the cyberattack and indicated that this violated
international norms
iii. First time the US has called out a foreign country for
a cyberattack
g. Obama makes statements on CNN, calling it an act of
cybervandalism (Dec. 21, 2014)
i. Contrast with John McCain calling it cyberwarfare
Phishing
Viruses
DDOS attacks
Hackers and other cybercriminals
Advanced persistent threats
1. Classification of states that are actively
engaged in hacking or spying
2. EX: China
c. Why threats exist
i. Why is the internet so vulnerable?
1. The architecture of the internet
a. Lack of transparency
b. Anonymity
c. Decentralization
i. Difficult, expensive and maybe
impossible
to
change
the
fundamental structure of the
internet
ii. Anonymity is important to protect
freedom of expression
ii. Exponential innovation
1. More points of access, new configurations may
result in unprecedented access
2. Pressure for innovation results in push for
quick-release products that are less thoroughly
researched and secured
a. Change
might
slow
innovation,
disadvantage
small
start-ups
and
negatively effect the economy
iii. Widespread integration into economy and society
1. More devices with access
2. Critical infrastructure is operated through the
internet
iii. General issues
1. Cyber as an offensive-dominated environment
a. Easier and cheaper to attack (find a weakness in the
system) than to defend
i. Fueled by anonymity structure
1. You dont know where the attack is coming
from, at what time, resulting in less time and
knowledge through which one can formulate a
defense
2. Low barrier to entry
a. Tools and information for cyberattacks are widely available
on the internet
i. Black market for cybercrime tools allows experts to
pass on tools and information to those with intent
iv. Perpetrators of cyberthreats
1. Criminal hackers
a. Financially-motivated criminal gangs
2. Hacktivism
3. Espionage attacks
a. Trade secret theft
b. Spying
v. Cases
1. Wall Street spear-phishing incident
a. Facts
i. Use of Wall Street lingo to conduct hack
ii. Malware was contained in emails that were sent to
executives, which contained sophisticated Wall Street
language
b. Combination of hacking and social engineering
c. Getting confidential information about particular industries
i. Focus on pharmaceuticals and healthcare
d. Tailored to the recipient
i. Looks like something you would receive from
someone that you are actively in contact with
ii. Requires more work on the part of the hackers
2. Zeus BotNet takedown
a. Facts
i. Mass takeover of users computers and used them
to, collectively, swarm other websites
1. Malware allowed the bot-herders to direct the
networks of compromised computers to do
certain tasks
a. Some were aimed at DDOS attacks
b. Some aimed at stealing credentials
ii. Stole banking credentials and initiated wire transfers
overseas of over $100 million
iii. Simultaneous infection with Cryptolocker
3. Estonia cyber-riot
a. Facts
i. Movement of a statue resulted in Russian DDOS
attacks being directed at Estonias government
websites which further replaced Estonias sites with
Russian propaganda
ii. Suspected to be orchestrated by the Russian
government
1. Information was posted on Russian-language
websites, which allowed private citizens to
utilize this information as well
4. Iranian hack of US banks
a. Facts
i. Banks were bombarded with DDOS attacks that
resulted in bank shutdowns
b. Thought to be too sophisticated to be the work of amateur
hackers, attributed to Iran
i. Takes a lot of bandwidth to direct that much traffic at
the banks
ii. SCC has announced future regulation that would prohibit throttling
1. Classified the internet as a public utility
b. Structure
i. Internet Corporation for Assigned Names and Numbers (ICANN)
1. US is relinquishing control of ICANN to other multi-stakeholder
processes
a. Due to increasing criticism about the USs dominant role in
internet infrastructure
b. Congress prohibited the Department of Commerce from
appropriating funds for the transfer, but did not prohibit
the transfer itself
i. Does not need funds to transition ICANN, transfer of
authority will automatically occur when the contract
runs out in Sept., 2015
ii. Internet Engineering Taskforce (IETF)
1. Multi-stakeholder group
2. Develops the technical protocols that runs the internet
a. Developed IPv.4: 4.3 billion IP addresses, however, running
out
b. Developed IPv.6: Expands IP addresses by a gazillion
iii. Internet Society
1. Open-forum that anyone can join, including individuals and
organizations for a fee
2. Advocates for an open internet
3. Operates on a multi-stakeholder consensus model (humming!)
iv. International Telecommunications Union (ITU)
1. Started in order to regulate telegraphic exchanges between
countries
2. Debate at World Conference on International Telecommunications
(WCIT) 2012 on whether to include the internet as one of the
forms of communication that they can regulate
a. Pushed by Russia, adopted by some, but not others
i. Normally operates by consensus rule, but this
conference broke tradition and had a formal majority
vote
ii. Big player countries walked out
b. Internet issue was talked about in a side resolution, not in
the binding part of the treaty itself
c. Language of the resolution stated that all governments
play an equal role
i. Imposition of a multi-lateral instead of the original
multi-stakeholder model
ii. Equal role language is a slam on the US
3. Is a UN body, and giving the ITU the ability to regulate the
internet would mean that each UN state gets one vote, and
would cement the multi-lateral model transition
c. Multi-stakeholder model
PROS
CONS
Run by private industry and not by
Too many people are involved; easy
state governments or organizations
to make backdoors
Current
stakeholders
are
more
Not enough order
Ineffective enforcement
Driven by technology companies
which are largely headquartered in
the US
Common citizens do not have the
resources or technical know-how to
voice an opinion
Western-dominated
Skews everything in a profit-driven,
self-interested way; private industry
agenda needs to be taken into
account
d. Views
i. International Strategy for Cyberspace (US AND EU VIEW)
1. Promotes:
a. Multi-stakeholder governance
i. US can promote this because it decreases worldwide
governmental control, while at the same time the US
has other levers of control through which it can exert
its power and therefore does not need to make it
explicit
b. Freedom of expression
c. Privacy
d. Establishing international norms
i. Safety, stability
e. Interoperability
i. One internet for the whole world, not multiple
national internets
ii. Anti-fragmentation
ii. International Code of Conduct (CHINESE AND RUSSIAN VIEW)
1. Promotes:
a. Multi-lateral governance
b. Pro-fragmentation of the internet
c. State sovereignty in the internet sphere
d. Content control
e. State acts as primary figure in information selection
f. Prohibition on proliferation of hostile activities
g. Establishing alternative norms
i. Respecting cultural differences
ii. Freedom of expression, etc, are not international
norms
5. DISCLOSURE AND TRANSPARENCY IN THE CYBER SPHERE
a. SEC disclosures
i. For public companies, requests disclosure of cybersecurity risks through
guidance materials not mandatory or binding
1. Requires disclosure where triggered by a material risk
a. Information is considered material if there is a substantial
likelihood that it would change the attitude of an investor
ii. Attacks covered by disclosure materials
iii.
iv.
v.
vi.
b. Aarons Law
i. Potentially could change the CFAA to cover only
code-based access
ii. Would
eliminate
liability
in
the
CFAA
for
contract0based access
iii. Would reform the penalties
7. ACTIVE DEFENSE (HACKING BACK)
a. General
i. The Department of Justice has held that there is no exception in the
CFAA for companies hacking back
b. Kinds of active defense
i. Planting of false information (OK)
ii. Stolen information that self-destructs (OK)
1. Issue of whether this will damage the perpetrators systems
iii. Beaconing (OK)
1. Shows where the data is allowing you to trace
2. Alerts the company that the data has left its system
iv. Patrolling cybercrime forums (OK)
1. Accounting information, offers to sell intellectual property, etc
v. Honeypots (OK)
1. A weakened server seeded with information
2. Traps set to entice hackers to a particularly weakly defended
server in order to see what they are looking for, what techniques
they are using and in an effort to look for clues of their identity
vi. Accessing the sever of the hacker and deleting the stolen files (NO)
vii. Stewart Bakers Poisoned RATs (NO)
1. Remote Access Tool
a. A way in for hackers to get into a companys server; sends
malware or a beacon back to identify them
viii. Disabling hackers servers (NO)
ix. Virtual labyrinths (OK)
1. Continuous misdirection of hackers
2. Increases the hackers costs
c. Arguments
i. For hacking back
1. Your computer, my data: Because it is your data, youre
allowed to follow it and take it back or control how it is used
a. Argument hurt by the fact that the CFAA talks about
accessing computers, not data
2. Compromised machines owned by innocent third parties
a. You are doing them a favor by letting them know what is
happening to them
b. However, this is tempered by the fact that you cannot
harm their computer in your counterattack
c. Limit: Cannot cause damage, but surveillance, likely okay
i. Must be very confident when launching your
counterattack that the third-party will not be
damaged, or else you will get no protection
3. More resources for private defense
4. Less political controversy
a. Private parties actions cannot be attributed to the state
1. IP theft
2. Data breaches
a. Customer data may not be a trade secret, but a client list
would be
vi. What is not covered by the EEA?
1. DDOS attacks
a. No actual act of misappropriation
2. Data wiping
b. Cases
i. US V. GENOVESE
1. Facts
a. Pieces of Microsoft source code was leaked for free on a
website
b. Defendant took the source code and tried to sell it
i. Was not the source of the leak, did not do the actual
hacking
2. Analysis
a. Constitutional challenges to the indictment
i. Freedom of speech
1. Since it was public information, he is allowed to
repeat it
ii. Was not a trade secret, since it was made publicly
available
iii. Void for vagueness argument
b. 1832 trade theft case
i. Court found that it was not protected speech
1. Illegal activity does not constitute protected
speech
3. Holding
a. Against the defendant
ii. US V. CHUNG
1. Facts
a. Chung secreted information under his house over the
course of decades
i. Was a Boeing contractor/engineer
ii. Gave information to the Chinese government
b. Largest archive of NASA information outside of NASA
2. Analysis
a. 1831 economic espionage case
i. Indicted for 6 counts of economic espionage and 1
count of conspiracy to commit economic espionage
b. Analytical process
i. Was the information a trade secret?
1. Was it a secret?
a. Were
there
reasonable
secrecy
measures?
2. Did
the
information
have
independent
economic value?
a. Tasked by the Chinese government to
steal this information with the intent to
benefit the Chinese government
10.
b. Must be widespread
2. Customs of countries on the international stage
a. However, not all customs obtain the status of customary
international law
3. Opinio juris sive necessitatis
a. An opinion of law or necessity
i. Done out of a sense of legal obligation
ii. States are not just engaging in the practice out of
convenience or policy
1. Does it because they think they are legally
required as a matter of international law to do
it
4. States may not have signed onto a treaty, but may still be bound
by customary international law
a. Generally enforce through actions taken by other states
5. Usually not an affirmative practice, but a defensive one, asking
states to refrain from doing something
b. International procedural issues
i. Extradition
1. Taking a criminal defendant from one country and sending them
to another country fro prosecution
2. Custody of persons, moving people across borders for the
charging of crimes
a. US-Estonia
3. Requirements
a. Dual criminality
i. Must be a crime in both jurisdictions/overlapping
cores of criminality
b. Minimum severity requirement
ii. Mutual legal assistance (evidence collecting function)
1. Perpetrators may be abroad and so evidence may also be abroad
2. MLATs
a. Mutual legal assistance treaties
b. Usually bilateral
c. Binding legal obligations for the receiving state ot respond,
subject to some exceptions
i. Processed through the central authority of each
state, government-to-government
1. Cannot be used by individual litigants
3. Letters of Rogatory
a. Processed between court-to-court
POLICY QUESTIONS
a. (1) Congress should pass a federal data breach notification law that would
preempt all state data breach notification laws currently in effect
i. FOR
1. Current patchwork structure makes compliance for companies
difficult and time-consuming
a. May result in customers in different states being notified of
the same incident at different times with different
information
2. Would unify requirements
b.
c.
d.
e.
11.
a. A state can suffer a use of force, but not have the right to
retaliate as it does not rise to the level of an armed attack
i. States are only allowed to respond to uses of force
when it amounts to an attack, whereas the US states
that uses of force are armed attacks
b. If we said that cyberattacks were not armed attacks, then
states would never be allowed to use force in retaliation
2. WHETHER A CYBERATTACK CAN BE AN ARMED ATTACK; SELFDEFENSIVE FORCE AGAINST CYBERATTACKS, LEGAL, STRATEGIC
AND POLITICAL DIMENSIONS (WAXMAN)
a. 3 possible answers
i. NO
1. Strict reading; cannot be an armed attack as
must constitute kinetic violence
ii. SOMETIMES
1. Must result in violent consequences (effectsbased)
a. Such as the consequences resulting from
a conventional strike
b. EX: opening a dam on a village,
activating nuclear weapons, disabling air
traffic communications resulting in a
crash
c. US takes this approach
i. Has no firm position as to
cyberactions with no clear kinetic
parallels
2. Depends
on
the
magnitude
of
the
consequences
a. Difficult to apply
b. EX: attack on the stock market
3. TALLIN MANUAL
a. Armed attack and use of force are not equated does not
take US position
b. Exceptions to prohibition on the use of force
i. Self defense
c. Jus ad bellum
i. Recognized by the US
ii. Limitations on the right to self defense
1. Necessary
a. LETTER FROM US SECRETARY in relation to the
CAROLINE INCIDENT
i. Leaving no choice of means
1. No peaceful alternatives
a. Diplomatic negotiations
b. Asking for cease and desist
ii. Admonition or remonstrance impracticable,
or would have been unavailing
iii. Daylight could not wait
iv. Means necessary to remove the threat, and whether
non-forcible means were adequate
2. Proportionate
a. Proportional in relation to what the attack was
supposed to achieve
b. Not limited to repelling the initial attack, but ending
the conflict
i. Whatever is necessary to eliminate the threat
1. Not limited by geographic location
2. Does not have to a be a mirror image of
the attack
a. Do not need to resort to same
tactics, type of weapon or type of
attack
c. Could it have been done with less violence with the
same objective of neutralizing the threat?
d. The response must not be excessive, must ne
proportionate to the threat
e. LETTER FROM US SECRETARY in relation to the
CAROLINE INCIDENT
i. Nothing unreasonable or excessive
f. Proportionality: responding to a conventional attack
with cyber means?
i. Limit damage, lost lives
ii. Should not be required, but an option
1. Requiring a specific kind of response
would take away from a states ability
to defend itself
iii. If you could accomplish the same goal
through cyber means, would show you took
proportional, less violent action?
iii. TALLIN MANUAL; RULE 14 Jus Ad Bellum
1. Use of force of cyberoperations taken by a state must be
necessary and proportionate; no exemption for cyber
context
2. Peaceful cyber alternatives
a. Firewall
b. Detection and prevention systems
c. Requests to desist
d. Expanding server capacity to withstand DDOS
attacks
3. Cyber attacks do not necessarily require a cyber response
iv. How much of a constraint is necessity and proportionality on
self-defense?
1. Easy to work around the requirements
2. Only limits against ridiculously overbearing responses
a. Does not limit more nuanced differences in
response
v. Temporal requirements
1. Imminence
a. When you know an attack is going to happen, how
soon can you respond?
b. 4 possible answers
f. Is a
i.
ii.
iii.
i. Kinetic damage
ii. Serious functionality disruptions
iii. Any unauthorized access
1. Not an appropriate standard for a law of war
iv. TALLIN MANUAL: RULE 5
1. General duty for one state to not knowingly allow the unlawful
use of its cyberinfrastructure to harm another state
2. Cyber issues
a. Attribution
i. Difficult for states to know where an attack is coming
from
b. Borders are hard to police
i. Borders are very porous/non-existent in cyberspace
c. Speed of cyberattacks
v. What does a state have to know before taking action?
1. Certain attribution
2. Actual knowledge
a. Duty to act
b. May give states plausible deniability
3. Constructive knowledge
a. Imposes knowledge on a person where they should have
known
b. Duty to monitor
i. FOR
1. State itself is in the best position to know
2. Would not want to permit other states to look
into your cyberinfrastructure
ii. AGAINST
1. Enforcement difficult
2. States have different capabilities
3. Privacy concerns for citizens
a. Could be sanctioning a lot of government
monitoring, intrusive
4. Not a good use of resources
iii. Does this duty apply to states through which cyber
attacks are routed?
1. Applies to the state where the attack originates
2. However, where routing is fairly instantaneous,
impracticable for routing states to react
a. Data travels in a fragmentary way
b. May not have the ability to prevent it
3. LAW OF CYBERWARFARE (SCHMITT)
a. Predicts that there will be a movement
towards accountability of routing states
g. Cyberwar: law by analogy
i. International wrongful act
1. Breach on an international legal obligation
a. Very broad; when an act of a state does not comply with a
legal obligation
b. Exemptions
i. Consent
ii. Countermeasure
iii. Force majeur
iv. Self-defense
2. Attributable to the state
a. DRAFT IRC ARTICLES
i. Article 4: Conduct of organs of a state
1. Regardless of postion, regardless of whatever
power it holds, its actions will be attributed to
the state
2. Whether it is an organ of the state is
determined by how it is organized based on
internal law
ii. Article 5: Conduct of persons or entities who are not
organs of the state
1. Attributed to the state where it is empowered
by the state, provided that the person or entity
was acting in that capacity
a. De facto organs of the state
i. Non-governmental
organs
exercising governmental authority
b. TALLIN MANUAL: RULE 6
i. Broader definition of state organ
ii. Individuals acting under the instruction of a state and
is directly under the states direction or control
iii. ICJ standard: effective control (dominant standard)
1. U.S V. NICURAGUA
a. Must prove that the US has effective
control of the military operations,
weapons funded by the US not sufficient
2. Operation-by-operation control difficult to show
high evidentiary status
3. Greenlights the idea of war by proxy, so long as
they are doing it through a third-party and are
not giving instructions
a. EX: Estonia cyber-riot, Sony hack
iv. International Criminal Tribunal for Yugoslavia: overall
control
1. Looser definition, does not require operationby-operation control
c. How to determine state responsibility?
i. Conventional
1. What is the relationship between the forces
and the state military
2. Where are the weapons coming from
ii. Cyber
1. Amount of control the state has over its own
network
2. Where is the international wrongful act is
coming from (location)
3. Transfers of money to these groups by the
government
12.
13.
14.
6. Criminal law
a. Extradition issues
b. Different national definitions of cybercrime
7. Invisibility
a. Labyrinth
8. Economic sanctions
a. Targeting both perpetrators and the people who benefit
from the cybercrime
b. Slow-moving
c. Interdependence may result in economic sanctions having
a blowback effect on own nations economy
9. Diplomatic responses
10.
Declaratory policies
a. Statements of how the US will respond in the event of an
attack
i. Can be a statement indicating that there will be a
response without specifying what it will be
11.
Collective defense
a. Helping other countries bridge the digital divide