CYBERLAW & CYBERPOLICY: International Cyber Conflict and the Law
Additional Note to the Norm Against Offensive Cyber Operations by Non-State Actors, Global Commission on the Stability of Cyberspace (2018)
1. Public Core: Protect the core of the internet from interference. 2. Electoral Infrastructure: Protect the technical infrastructure used in elections from cyber attacks. 3. Tampering: Avoid tampering with products and services before their release. 4. Commandeering: Don't commandeer civilian devices for offensive cyber operations. 5. Vulnerabilities Equities: Develop a process to handle vulnerabilities discovered by states. 6. Mitigate Vulnerabilities: Take steps to reduce and mitigate significant vulnerabilities in products and services. 7. Cyber Hygiene 8. Offensive Operations: Avoid offensive cyber operations by non-state actors.
Computer Fraud and Abuse Act 1030 E
2A Computer 2B Protected computer 2C Voting system 3 State 4 Financial institution 5 Financial record 6 exceeds authorized access 7 Dept. US 8 damage 9 Government entity 10 conviction 11 loss 12 person 13 federal election 14 voting system
China tightens control over cybersecurity in data crackdown, Joe McDonald (2021)
China has banned IT specialists from selling computer system vulnerabilities. Major hacking assaults have used "zero day" security flaws. The new guidelines require Chinese citizens to report vulnerabilities to the government, which will decide what fixes to perform, and not to "overseas organizations or people" other than the product's producer. On September 1, the restrictions strengthen Communist Party information control.
What is Cyber Hygiene?
Cyber hygiene is a set of foundational measures that prioritize essential tasks to defend against, prevent and rapidly mitigate avoidable dangers in cyberspace. It is a basic duty of care that should be required of all users, and includes reliable measures of implementation, sharing of technical information and best practices, and appropriate oversight. The Global Commission on the Stability of Cyberspace (GCSC) widespread adoption of cyber hygiene is essential to the responsible use and beneficial growth of the internet.
Norm to Reduce and Mitigate Significant Vulnerabilities
Developers and producers of products and services on which the stability of cyberspace depends should: (1) prioritize security and stability (2) take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and (3) take measures to timely mitigate vulnerabilities that are later discovered and to be transparent about their process. All actors have a duty to share information on vulnerabilities in order to help prevent or mitigate malicious cyber activity.
What is the proposed process to reduce and mitigate significant vulnerabilities.
GCSC has called on those creating IT products and services to take "reasonable steps" to reduce the frequency and severity of vulnerabilities in those products. The GCSC said that the sharing of information on vulnerabilities and associated remedies was important to help prevent and mitigate attacks. The commission also called on those involved in the development or production of critical products to ensure that the number and scope of critical vulnerabilities are minimized and effectively and timely mitigated and disclosed when discovered.
Can one hack-back?
Getting into the thieves' computer networks without authorization— is illegal (federal crime). violations of the Computer Fraud and Abuse Act can lead to prison sentences of up to twenty years. Legal prohibitions on hacking haven't changed.
What is a "financial institution"?
Includes banks, credit unions, broker-dealers, and other organizations involved in finance.
Under the VEP what information should NOT be disclosed?
Information about a newly discovered vulnerability in an information system or technology should not be disclosed if there is a demonstrated, overriding interest in using the vulnerability for lawful intelligence, law enforcement, or national security purposes. The USG may temporarily restrict knowledge of the vulnerability to the USG and potentially other partners.
Does the government prosecute private institutions for "hacking back"?
Legally they can but they don't. The government doesn't prosecute private institutions for hacking back, per say. Hacking back is generally not advisable for individuals or businesses to hack back against cyber criminals for several reasons. 1). hacking back can be illegal and can result in prosecution. 2). Additionally, hacking back can be dangerous and can lead to unintentional damage or harm to innocent parties. 3.) report any cyber crimes to the appropriate authorities and to take steps to protect against future attacks through measures such as implementing strong cybersecurity protocols and regularly updating software and security systems.
Why is pegasus worrisome?
NSO Group's use of Pegasus software to extract texts, images, emails, record calls, and discreetly activate microphones on compromised iPhones and Android devices is concerning. If authoritarian regimes utilize Pegasus to target human rights activists, journalists, and attorneys, this threatens their privacy and security. Criminal or terrorist use of Pegasus is likewise a risk. Lack of transparency and accountability in Pegasus use raises issues about biases and conflicts of interest in decision-making.
Norms Against Offensive Cyber Operations by NSA
Non-state actors should not engage in offensive cyber operations, and state actors should prevent such activities and respond if they occur.
Norm to protect the Electoral Infrastructure
State and non-state actors must not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.
Norm against commandeering of ICT Devices into Botnets
State and non-state actors should not commandeer the general public's ICT resources for use as botnets or for similar purposes. GCSC has called on state and non-state actors not to commandeer civilian devices to facilitate or directly execute offensive cyber operations
Norm to Avoid Tampering
State and non-state actors should not tamper with products and services in development and production, nor allow them to be tampered with, if doing so may substantially impair the stability of cyberspace
Norm of non-interference with the Public Core
State and non-state actors shouldn't do anything that intentionally and significantly hurts the general availability or integrity of the public core of the Internet and, as a result, the stability of cyberspace, or knowingly allow something like that to happen.
Norm for States to Create a Vulnerabilities Equities Process
States should create procedurally transparent frameworks to assess whether and when to disclose not publicly known vulnerabilities or flaws they are aware of in information systems and technologies. The default presumption should be in favor of disclosure.
Norm on Basic Cyber Hygiene as Foundational Defense
States should enact appropriate measures, including laws and regulations, to ensure basic cyber hygiene.
The Supreme Court Reins in CFAA in Van Buren, Orin Kerr (2021)
The CFAA makes it illegal for someone to bypass a closed gate on a computer. This means that to violate the CFAA, a person must bypass a gate that is down and that they are not supposed to bypass. The court rules that access without authorization and "exceeding authorized access" require the same basic test.
How should we deal with (cyber) interference?
The UN Charter's norm of non-interference is being challenged in the digital age. Experts have debated whether cyber-related election interference amounts to a violation of sovereignty. GCSC recommends stronger national measures and international cooperation to prevent, mitigate and respond to cyber intrusions against technical electoral infrastructure. Governments must commit to refraining from engaging in cyber operations against the technical electoral infrastructure of another state. The GCSC affirms that election interference is intolerable.
Rules of engagement for cyberspace operations: a view from the USA (2017), C. Robert Kehler, Herbert S. Lin, Michael Sulmeyer
The US military has decades of combat experience developing ROEs for kinetic weapons, but cyberspace operations provide significant challenges to ROE formation. Cyber-specific ROEs are shaped by sensitive command and control and escalation considerations. Cyber weapon ROE reformulation (unless indicated) is hindered.
Assessing the Vulnerabilities Equities Process, Three Years After the VEP Charter, Andi Wilson Thompson (2021)
The White House has failed to increase transparency in the Vulnerabilities Equities Process (VEP), a framework for weighing the pros and disadvantages of disclosing newly found vulnerabilities in information systems and technologies. Advocates had hoped that the 2017 VEP charter would signal a commitment to transparency and openness, but the preceding three years have seen little to no disclosure of process or applicant information. This lack of transparency has raised concerns about bias and accountability in decision-making and hindered VEP improvements.
What is the public core of the internet:
The infrastructure of the Internet includes critical elements such as packet routing and forwarding, naming and numbering systems, security and identity mechanisms, transmission media, software, and data centers.
Vulnerabilities Equities Policy and Process for the United States Government, White House (2017)
The policy aims to prioritize the public's interest in cybersecurity, while also allowing for the potential use of vulnerabilities by the USG for lawful intelligence, law enforcement, or national security purposes.
Nicholas Schmidle, The Vigilantes Who Hack Back, 2018
This article asks, how [can American Companies] to retaliate without breaking the law? "hacking back" is problematic in many dimensions: - difficult to see what you're up agaisnt - going into battle with little intelligence - Weapon set won't fit the target set. little odds to win
Revealed: Leak uncovers global use of cyber surveillance weapon (2021)
This article claims that authoritarian regimes have targeted human rights activists, journalists, and attorneys worldwide using NSO Group hacking tools. NSO claims their Pegasus software is reserved for use against criminals and terrorists, yet a vast data breach implies widespread and ongoing abuse. The data dump includes over 50,000 phone numbers that NSO clients may have identified as individuals of interest since 2016. The data's phone numbers do not indicate if a device was infected with Pegasus or hacked, but the inquiry thinks they indicate prospective targets that NSO's government customers identified before surveillance operations. Forensics study of a small number of phones on the leaked list found that more than half carried Pegasus malware.
What is the Vulnerabilities Equities Policy and Process (VEP)?
This is a policy and process used by the United States Government to balance and make determinations regarding the disclosure or restriction of information about newly discovered vulnerabilities in information systems and technologies
"gates-up-or-down inquiry"
This means that to violate the CFAA, a person must bypass a gate that is down and that they are not supposed to bypass.
What is the purpose of the VEP?
This policy aims to balance the potential benefits and drawbacks of disclosing or withholding information about newly discovered vulnerabilities. The policy prioritizes the public's interest in cybersecurity and the protection of critical infrastructure and the economy. It also allows for the potential use of vulnerabilities by the USG for lawful intelligence, law enforcement, or national security purposes.
Computer Fraud and Abuse Act Section 1030 D
This provision states that United States Secret Service has the authority to investigate offenses related to this section, and the FBI has primary authority to investigate offenses related to espionage, foreign counterintelligence, and other related offenses. This authority is exercised in accordance with an agreement between the Secretary of the Treasury and the Attorney General.
CFAA18 U.S.C. § 1030(a)(7): Threatening to Damage a Computer
This section of the CFAA prohibits extortion threats involving damage to a computer (involving confidential data). 1). Intent to extort money 2). Transmit in interstate or foreign commerse a communication 3). Containing a threat to damage a protected computer OR to obtain or reveal confidential information or in excess without authorization OR demand or request for money or value in relation to damage done in connection with the extortion
Computer Fraud and Abuse Act S 1030 C
This subparagraph expands on violations of (A) and (B). These are punishable by fine, 20 years in prison, or both. Attempts are also punishable by fine, 10 years, or both after a prior conviction. "Intentionally or deliberately inflict substantial physical harm"
What would happen if the break-in was from abroad?
Tracking ("attribution") of international hacks are challenging because of the digital terrain expending beyond domestic networks. As a result, you deal with complications surrounding the hacker's digital food print, fake trails, and implementation of foreign law enforcement. 1). digital foot print can lead you to a fake trail 2). The fake trail can lead you to the wolves' mouth (mistakenly attribute) 3). Even when you've caught the criminal, there's often little chance that a indictment of a foreign hacker would lead to a conviction.
Failures that have hampered the VEP
VEP decision-making greatly favors players who want to keep valuable vulnerabilities hidden. This imbalance may favor leveraging vulnerabilities for law enforcement or foreign intelligence over disclosure. The VEP's reliance on participants' subjective opinion to assess vulnerabilities may induce bias and subjectivity. Lack of openness and accountability in the VEP has generated concerns about prejudice and potential conflicts of interest in decision-making. These biases may limit the VEP's efficacy and fairness and have hampered efforts to enhance it.
If someone breaks into your computer, can you follow them back and recover your data?
You CAN (if you have the proper skill set), but SHOULD YOU- depends on the risk you're willing to incur and the toolset you have. It is generally not advisable to follow a hacker back for three reasons: 1). they expect it 2). it might not lead you where you think it will 3). it might leave you worse off. Revenge in the cyber domain is like going in blind. It's easily to falsely attribute a crime to a country by following a hacker back to a network they expect you to. You might falsely attribute and thus incur damage from the third party. Or even leave you worse off by discovering that the adversarial capabilities outnumber yours. It's risky— and it's not possible to see if its worth the risk until you see it through.
Van Buren v. United States
a U.S. Supreme Court case that dealt with the interpretation of the CFAA, establishing the gates-up-or-down inquiry for determining unauthorized access under the CFAA. Nathan Van Buren used a government database for personal reasons after being told he could only use it for work. RULING: The court ruled that Van Buren did not violate the CFAA because he had been provided access to the database, and the workplace rule was not a closed gate that he needed to bypass.
What is a "protected computer"?
a computer that is exclusively for the use of a financial institution or the United States government, or is used by or for a financial institution or the government, and the conduct constituting the offense affects that use. It can also be a computer used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that affects such commerce or communication.
"Exceeds authorized access" refers to what?
accessing a computer with authorization and using that access to obtain or alter information that the accesser is not entitled to obtain or alter.
Computer Fraud and Abuse Act 1986
an important law for prosecutors to address cyber-based crimes. It protects federal computers, bank computers, and computers connected to the Internet. Amends the Federal criminal code to change the scienter requirement from "knowingly" to "intentionally" for certain offenses regarding accessing the computer files of another.
Under the VEP what information SHOULD be disclosed?
default assumption is that information about a newly discovered vulnerability in an information system or technology should be disclosed to the vendor or supplier in the expectation that it will be patched. prioritize the public's interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities.
What is damage?
means impairing the integrity or availability of data, programs, systems, or information.
