Cyber Threat Landscape

Discuss About The European Journal Of Crime Criminal Law.

Every single nation over the globe is encountering some or different type of threat. Any kind of task that involves securing the web tends to be a daunting job even for the specialist and experts. There does not go by a single week where instances of virus infection, phishing related scams, hacking attempts among others are not reported. Individuals, governments and organizations all are at risk of these cyber borne threats. Irrespective of the type and extent of security measures employed, there would still be substantial security risks. A lot of these threats are caused by threat agents that are motivated by means of causing destruction, espionage, theft and personal gains. Each year, 100s of billions are lost due to cyber threats. In 2012, cybercrime cost 1 trillion USD (Kharat, 2017). In 2021, it is expected to rise 6 trillion. Cybersecurity spending is also going to rise up to 1 trillion USD (Horowitz and Lucero, 2016). Keeping this in mind, many groups around the world are voicing their support for ‘hacking back’management, attacking the attackers, hoping that this would effective demotivate them in carrying out cybercrimes. This paper will provide a brief about the cyber threat landscape and then explore both sides of the conversation to effectively provide a set of general recommendations.

Since the last two decades, companies around the world had been victimized over the attacks on their computing systems. Hackers tend to attack these corporation’s websites, disrupt their communication systems and most importantly, steal their data. NSA Director, General Alexander, has termed these cyber-frauds as the ‘greatest transfer of wealth in the world history’ (Rabkin and Rabkin, 2016).

Despite having invested billions in cyber-security infrastructure, some of the most clever hacking organizations still tend to work around their way into heaviest cyber-defences in the world. These determined attackers, who spend a great deal of time in working around their way into these heavily guarded defences, are termed as ‘advanced persistent threats’ (A. and Ghani, 2016). A lot of these cybercriminals operate typically from foreign countries beyond the reach of the host countries.

Owing to these increasing and persistent cyber threats, many frustrated computer security experts have been voicing their opinions about having retaliatory measures so that they can essentially conduct ‘hack-back operations’. As a result, there had been many such dialogues that has happened throughout the world and also an exploration of risks that involves with it. As such, all these conversations have just generated talks without any action plans. This is because, in the United States alone, the Computer Fraud and Abuse Act (or CFAA) prohibits private organizations and individuals to attack or damage computer systems even if they are being attacked by an external party (Goldman, 2012).

The Argument for Retaliation Measures

The emerging threats of today’s world tend to be extremely destructive as they now focus more on intellectual government property, critical industries and financial corporations that are essentially the fabric of any nation. Based on this scenario, one can deduce that threat actors are ‘elements that help or cause in attaining a digital incident’ (Verizon, 2014). Modern day threat is widespread and target advanced computing system, industrial infrastructure, public infrastructures such as traffic signals, dams, electricity and even common consumer grade products such as smartphones, app-stores and desktop computers. Threats come in variety of shapes and forms. They range from threats such as Malware, Trojans and viruses that affect systems worldwide and cause destruction, theft or disruption, to threats of an insider attack, phishing scams or even ransomwares. For instance, Wannacry, a ransomware released in 2017 affected nearly 300,000 systems around the world before being subdued owing to a fortunate discovery of the third day of its attack (Popli and Girdhar, 2017). However, it managed to affect hundreds of thousands of systems around the world. The threat agents are hacktivists, criminals, terrorists and even some-times state-sponsored groups.

Cyber intrusions are heavily disguises and in various ways. This is because attackers make use of multiple routes through which they attack their target. Their attack is routed through a series of networks. As a result, if the company or the organization wishes to retaliate, this exercise might lead to the hackers themselves and in the process causing damage to them or even better finding details about them which then can be used for legal prosecution.

Another argument supporting the retaliation option is that many cyber attackers originates from countries such as China and Russia and are pre-dominantly globalized nations and thereby have stringent laws and are therefore in co-operation with global laws. However, since the attackers attack by remaining behind smokes and mirrors, a mere legal notice to their legal authorities will do no good as they can easily hide when provoked. Instead in such cases it might be better to follow up with an initial warning by collecting more information about these perpetrators and then handing it over to the local authorities so that they can act on it.

Yet another similar kind of argument comes from the US government which has employed a kind of ‘Name and Shame’ campaign. In this case, the government would probe into the attackers and then publicise the name of the attackers when they have found it including which country they belong to. Accordingly, in May 2014, the US government indicted 5 Chinese attackers who had hacked into private US companies. Simultaneously, In March 2016, US had indicted several Iranian government employees for their attack against US Banks as well as trying to control a Dam. Although there was little chance of actually having these criminals arrested, US government officials hoped that this series of retaliation events might have had some deterrent effect. As such, in the case of China, there is some evidence that suggests that there appears to have been a temporary shift in their behaviour.

The Argument Against Retaliation Measures

Apart from Government based organizations, even private organizations have shown to have some capacity for this kind of investigation. For instance, the case of Ghostnet suggests this. In 2009, a group of independent non-govt sponsored researches organized an ‘information Warfare Monitor’ mostly based in Canada. This engagement was able to expose an espionage program called ‘GhostNet’. The researchers showed that ‘GhostNet’ was installed on various computers which were of strategic interest to China (Wilcox et al., 2013). These computers belonged to Foreign embassies including Dalai Lama. The researchers observed that their program was sending files, emails, key-strokes and audio data back to China. Now, none of these evidence can help bring China to the court of law but the overall situation sounds overall persuasive. The argument is essentially that a small group of private researchers could so much without actually doing any sort of counter-hacking and this goes on to say that they could a lot more if they had broader legal authority.

Another argument suggests that the government should allow victims of cyber-attacks try and defend themselves through the means of counter-hacking. As such, the suggested approach is conducting counter-hacking through a proxy. This means that the government would essentially maintain a list of companies that would conduct these operations. Once these companies gather enough data, then they can conduct their operations for counter-hacking. If these goes successfully, then perhaps there could be a future demands from corporations for such ‘hack-back’ scenarios. This could further down the line help reduce the overall instances of cybercrimes.

Businesses and organizations have valuable and mission-critical assets that has information about their businesses, their clients, suppliers, data, patents and other IP. Whereas in contrast these criminal groups usually do not (Pool and Custers, 2017). As a result, if the enterprises did end-up creating a system that would ultimately attack these cyber-criminals, this would cost these organizations hundreds of millions of dollars and ultimately they would be attacking targets that readily replaceable.

Another major issues is that, although it may seem, but a retaliation is not similar to drawing a gun on an intruder. This is because, unlike traditional intrusions, cyber-intrusions are sometimes not known until weeks or even months and even if it’s known, the overall investigation as well as forensic analysis could take days, weeks or perhaps months before they even have a slight intelligence as to who was behind the attack. Now, when they might have a concrete information, the attackers may have gone into hiding or may have changed their aliases, location or identity or perhaps have even left their respective positions. As a result, retaliation is comparatively complex and never quick.

Why Retaliation Measures are not a Quick Fix

Thirdly, the major problem with this sort of approach is that any form of hacking, even those which are done for ‘purest’ intensions are essentially a federal crime in nearly all countries. This prohibits anyone from ‘knowingly’ accessing another computer without an official authorization.

Chasing the hackers is quite difficult, and this is in part because internet enables a high level of anonymity. Hackers tend to use anonymization services such as VPN, TOR, Encryption and other hopping points to hide behind. For instance, if a hacker wants to steal something from London, he or she would first penetrate a computer in Taiwan and then use that computer to penetrate another one in Perth and so on, until enough ‘hop points’ have been achieved to practically make their trail invisible. A sophisticated hacker could hop as much as 30 times before they unleash an attack (Gupta and Anand, 2017). Chasing them would cost money, resources and wasted time that could be spent elsewhere.

Another management that questions the retaliation approach is the fact that an accurate ‘traceback’ is a difficult thing to achieve and it carries a substantial risk which could ultimately lead to organizations and government attacking legitimate businesses or individuals around the world. For instance, cyber experts purposely infect several hundreds to thousands of computers with malware in a way by compromising their security and gaining access to their system. These systems is then effectively used to attack others automatically. This is known as a ‘Bot’. This bot then join other pool of ‘Bot’s and collectively becomes ‘Botnet’ which then are controlled by Hackers to attack institutions and organizations around the world (JIANG et al., 2012). These ‘Botnet’s essentially comprise of thousands of computers which are owned by innocent users.

A clever cyber-fraudster could use these retaliation laws to its own group’s advantage. For instance, they could do this by making use of another organization or user’s systems to launch an attack on another individual or an organization. Since the law now permits to retaliate, the organization or user to attack back, this organization or the user is going to attack the victim which would in-turn suffer twice. This way, the attacker causes massive damages while being completely off-the-grid. This is essentially a false flag attack.

An effective retaliation requires an investigation on a massive scale such thtat the perpetrators are found quickly. Afterwards it requires a meticulous planning and coordination with the company and security experts to effective create a plan for retaliation. All of these requires heavy investments and lot of company resources. Some of these organizations may perhaps be ill-prepared to carry out such an attack. Irrespective, even if they launch an attack, it may just damage some other organization or group which had nothing to do with the attack in the first place. Or they might be successful in attacking the actual group, in which case, the company would have burnt through precious resources of the company and ultimately end up with significant damages monetarily.

Since there are existing laws that prohibits retaliation, as a result currently there could never be any sort of retaliation without being charged with federal crimes. Also, based on the arguments put forward by advocators of each side, one can deduce that retaliation could never be a rational or an healthy choice, no matter how tempting or desperate it may sound. However, based on the arguments put forward by both sides, the following sets of recommendation may help achieve a middle-ground.

Instead of engaging in a retaliation which is a risky behaviour otherwise, corporations or organizations when being attacked should share as much data as possible so that it can help get an industry-wide response.

When an organization suspects it’s being attacked, the organization can instead conduct a live-forensic investigation on the system being compromised to understand the source of the attackers. Now with this intelligence, these organizations can either approach the government or the court in order to file a lawsuit against the perpetrators. This method of retaliation ensures that there are no legal consequences and also increases the chances of prosecution for the perpetrators.

Another recommendation would also be to analyse the attackers and with enough evidence release their name to the public. This ‘naming and shaming’ tactic, may also prove effective especially if the perpetrators originate from a country having good reputation in the international market. This is because, a country in the international market is effectively always banking on creating goodwill so as to improvise their foreign trade and cross-country business. No country would like to get branded as a ‘cyber-terrorist state’ and therefore would make their own domestic laws stringent enough to deter any potential cyber-terorrists in the future.

Another set of recommendation is essentially a general security practice that says that organizations should remove non-essential machines from internet access in order to prevent attackers exploiting the known holes. If something couldn’t be fixed or updated, it should be removed from the main network. Apart from this, an organization could also improve their general security posture and follow-up regularly with best security practices to keep their systems protected against such threats.

Finally, an organization could also consider transferring some of these cyber-risks to a third party insurance company by purchasing something that is referred to as a ‘cyber insurance’. This cyber insurance will not deter attack but can effectively protect them against damages that are caused by security incidents.

Conclusion

Ultimately, one may ask what is the final solution to these hack attacks. The answer is essentially not that simple as there is no clear answer. This paper had analysed the arguments put forward by both the sides. Even though the arguments from both the side sound convincing, one has to ultimately oppose the hack-back movement. This is because, if retaliation is legalized, then corporations and organizations from around the world would form hands in creating ‘hack-back’ tools. Now, this hack-back tool would no doubt be comprehensive and extremely powerful. But, what happens when such a tool actually leaks out to the general public and finally on to the hands of perpetrators themselves? This problem and many other problems currently plague the retaliation mentality. As such, the challenges lies with social identification, law enforcement and legal liability. Advocates of hack-back movement may argue about the benefits of such laws, but beyond that it would always end-up in self-destruction instead. Ultimately with hack-back tools and techniques, the integrity of internet itself may undermined. The current attacks on specific infrastructures may turn into  wide-spread attack on entire business sectors. This could ultimately lead to a cyber-warfare scenario. However, doing absolutely nothing is also not a viable option and in such case, one has to create a middle ground that ultimately helps and provides tools and legal framework to corporations and organizations around the world in fighting these cyber threats.

References

A., M. and Ghani, N. (2016). Critical Analysis on Advanced Persistent Threats. International Journal of Computer Applications, 141(13), pp.46-50.

Goldman, L. (2012). Interpreting the Computer Fraud and Abuse Act. Pittsburgh Journal of Technology Law and Policy, 13.

Gupta, A. and Anand, A. (2017). Ethical Hacking and Hacking Attacks. International Journal Of Civil Engineering And Computer Science.

Horowitz, B. and Lucero, D. (2016). SYSTEM-AWARE CYBER SECURITY: A SYSTEMS ENGINEERING APPROACH FOR ENHANCING CYBER SECURITY. INSIGHT, 19(2), pp.39-42.

JIAG, J., ZHUGE, J., DUAN, H. and WU, J. (2012). Research on Botnet Mechanisms and Defenses. Journal of Software, 23(1), pp.82-96.

Kharat, S. (2017). Cyber Crime A Threat to Persons, Property, Government and Societies. SSRN Electronic Journal.

Pool, R. and Custers, B. (2017). The Police Hack Back: Legitimacy, Necessity and Privacy Implications of The Next Step in Fighting Cybercrime. European Journal of Crime, Criminal Law and Criminal Justice, 25(2), pp.123-144.

Popli, N. and Girdhar, A. (2017). WannaCry Malware Analysis. MERI-Journal of Management & IT, 10(2).

Rabkin, J. and Rabkin, A. (2016). Hacking Back Without Cracking Up. [ebook] Stanford University. Available at: https://www.hoover.org/sites/default/files/research/docs/rabkin_webreadypdf.pdf [Accessed 26 May 2018].

Wilcox, C., Hardesty, B., Sharples, R., Griffin, D., Lawson, T. and Gunn, R. (2013). Ghostnet impacts on globally threatened turtles, a spatial risk analysis for northern Australia. Conservation Letters, 6(4), pp.247-254.