Agora Active Defense Workshop Report
The Agora1 and the University of Washington Information School’s “Active Defense”
research project (funded by a grant from Cisco Systems Critical Infrastructure Assurance Group)
co-sponsored a workshop in the Arctic Building in Seattle, Washington, on September 12, 2003
to discuss Active Defense. This was the third workshop that the Agora has held over the past
two years. What follows is a rough overview of the discrete topics covered in the workshop.
Resources and cases cited by participants, as well as other information related to this workshop
and the Active Defense research project, can be found at the project web site:
http://staff.washington.edu/dittrich/ad/
Background - Active Defenses to Cyber Attacks
To kick off the workshop discussions, Dave Dittrich first presented a framework for
“Active Defense,” which later led into an attack scenario that he presented along with John
Christiansen. The slides and audio for this section are available on the web:
http://staff.washington.edu/dittrich/ad/AD-workshop-091203.pdf
http://staff.washington.edu/dittrich/ad/02-Background.mp3
The Department of Defense Perspective
1
The Agora is a group of security professionals, law enforcement, government and private sector
managers, who meet quarterly in Seattle, Washington. A document prepared for a GAO
interview in August 8. 2001 that describes the Agora can be found at:
http://staff.washington.edu/dittrich/misc/AgoraGAO2.doc
The Department of Defense recently went through a similar workshop and discussion
process in attempting to tease out the details surrounding active defense in the military computer
network sphere. The DoD came up with a tiered model for active defenses that follows a
progression and requires an increasing level of command necessary to authorize these actions.
The tiers (growing upwards from 1 at the bottom to 3 at the top) are:
1. Enhanced defensive actions.
2. Actions that would enable attribution,
3. Actions which could cause “minimal and temporary” damage to someone else’s
computer system
The key goals of this progressive response are to ensure a clear line of authority for any action
taken, to maintain proportionality to a cyber response, to be in line with other types of response,
and to use the least force necessary to obtain an objective.
“The Battle Space” – Comments by Tom Donohue
When the Intelligence Community discusses computer operations with the military in
support of any kind of planning for action, they constantly ask these questions: “What is the
battle space? How well do you understand the landscape in which you will be carrying out
operations, and how do you stack up against your enemy? If someone has been scanning and
probing your network for weeks or months, what does they know about you as opposed to what
you know about them? What happens if you decide to strike back, and more importantly, if you
actually do manage to hit the right person, what will they then do in retaliation?”
When members of the electric power industry do “red teaming” to test security of their
computer networks, they are very careful to not break in if the site being tested has SCADA2
systems on the network being audited. This is because the networks with these systems can be
so unstable that the impact of a heavy-handed penetration test is unpredictable and could cause
actual outages. An example given was a case where an attacker broke into a system and simply
began to scan the network from this system. The act of scanning alone was enough to cause the
network to become unstable and to start failing. This was purely an accident, but underscores the
question, “do you understand the battle space – that you are part of it – and do you realize what
kind of damage a malicious attacker can cause against you?”
SUMMARY OF “GENERAL DISCUSSION (1)”
The participants had been presented with a scenario that theoretically might evoke an
“active defense” response. The question was posed to the participants, given this scenario, what
would you do? As indicated below, many, many of the “answers” really revolved around what
should have been done prior to the attack to prevent the attack from occurring or succeeding in
the first place. These solutions often revolved around a variety of technical solutions.
Another category of response focused on information gathering. How, once under attack,
can you gather sufficient information about what is happening to your system? What is the
2
SCADA stands for “Supervisory Control And Data Acquisition.” These are devices that
provide for computer control and monitoring of physical devices, such as valves, pressure gauges,
etc. A recent GAO report titled, “CRITICAL INFRASTRUCTURE PROTECTION: Challenges
in Securing Control Systems” dated October 1, 2003 discusses this issue. See
http://www.gao.gov/cgi-bin/getrpt?GAO-04-140T
source of the attack? Jurisdictional concerns, also, were touched upon briefly in that a participant
asked where the systems were located that were attacked or that were being utilized by the attack.
The scenario assumed the answers here were the United States, but the participants recognized
how quickly things would get even more complicated if there were international aspects or
jurisdictions involved.
Participants raised some of the following concerns:
How quickly an attack can occur;
Possible address spoofing by the attackers;
Companies being sure they have back up capabilities for online access;
Standards of care that might be enforced against servers that were “innocently” being
used to launch attacks;
The ratio of the degree of the severity of “attacking back” being related to the risks of not
attacking back – for instance, whether human life was at stake as in a DDoS at a hospital
versus a bank or a retail bicycle store;
Pressure on systems administrators and others from their bosses in an attack situation.
SUMMARY OF DOMESTIC LEGAL CONSIDERATIONS
During an attack, competent and tech-savvy legal counsel would make some assumptions, e.g.,
“it’s a University, and they have lax security” and would advise, “these are the risks – you make
your decision appropriately.” If the situation was slow moving, a lawyer could write up a
complaint against the University, get a restraining order from a court (and there is precedent in a
Texas court), and get legal backing for intervention. In a fast moving situation, there would be
no time for this.
It could be argued that the University network is “an attractive nuisance” and they may
be negligent. If a victim believes they are then justified in taking action, they may be surprised if
they cause damage and are then faced with a court deciding which party is more negligent and
how to split the damage costs. Arguments would be made about standards of care, difficulties of
securing University networks. Liability is certainly becoming a hot topic, and it is only a matter
of time before more liability suits come about re: negligence in securing computer systems.
A decision by an executive in a corporation to take action should put the liability in the
hands of the corporation as a whole, not individually against those at lower levels who act under
order of a corporate executive.
The discussion then headed into the criminal side, looking at actions of someone acting to
protect their systems. In the area of damage to property, there are statutes about shooting animals
(Ivan Orton found court decisions3, statutes4 and news articles regarding shooting bear5 or moose
3
State of South Carolina v. Jeffrey M. Thompson, South Carolina Supreme Court opinion 25459
(Use of force against fur bearing animals) http://www.law.sc.edu/opinions/25459.htm
4
9 GCA: Crimes and Corrections, Chapter 7 (Section 7.90: Force in Defense of Property:
Defined and Allowed)
http://www.guamattorneygeneral.com/gca/9gc007.pdf
Judges and Legislatures in 21st Century Torts: Integrating Cases and Statutes, by David W.
[Jake] Barnes, Seton Hall University School of Law (pp. 2-4)
http://www.aals.org/profdev/torts/barnes.pdf
out of season when they were caught damaging someone’s property.) The statutes are a little
unclear, but do show that there is some precedent regarding use of force in protection of property.
(Where/how these could be analogized to the cyber environment is not clear.)
You have more leeway if the person is clearly acting against you. If the attacker has some claim
of right, it is harder to justify going after the attacker. You must still avoid actions that result in
“substantial danger of bodily harm” to the attacker you are going after, you must use the minimal
force necessary and it must be proportional to the attack against you and not significantly more
forceful. Intent would also be taken into consideration (the wording in Washington State’s
malicious mischief statute6 is “to vex, harass, annoy.”7) A “reasonable person” standard is used.
Washington’s Computer Trespass statutes8 simply say, “…intentionally gain access to a
computer system without authority.” There is no defense written in (or implied within) this
statute that would allow someone defending their system from entering a compromised computer.
It is not clear if common law would result in a defense in this area.
5
Bear Shootings under fire, by Stefan Hard, Times Argus, July 25, 2003 (Laws re: use of force
against moose more specific than laws re: use of force against bears)
http://timesargus.nybor.com/Local/Story/69133.html
6
RCW 9A.48.080
http://www.leg.wa.gov/RCW/index.cfm?fuseaction=section§ion=9A.48.080
7 RCW 9A.04.110 (12)
http://www.leg.wa.gov/RCW/index.cfm?fuseaction=section§ion=9A.04.110
8 RCW 9A.52 § 110, 120, and 130
http://www.leg.wa.gov/RCW/index.cfm?fuseaction=chapterdigest&chapter=9A.52
The concept of “self defense” is not clear in Active Defense scenarios. People often
claim they are acting in “self defense”, however this is not a personal physical attack, and is
directed against property (most likely) rather than directly against a person. This same problem
comes up when trying to use “use of force” guidelines, such as those used by Police departments.
Ivan’s examples were explicitly focused on use of force to protect property.
One participant brought up the issue of scanning, as a means of data collection, and asked
if this fit the “computer trespass” statutes. In Washington, the term “accesses” is used in the
statute. One case in Washington had to do with “war dialing”, and asked whether this was
unauthorized access or not. (Ivan’s opinion in this case was that this was akin to doorknob
rattling, which is not actual trespass.)
Another participant brought up that the hospital (and University) in the attack scenario
had no intent to harm in any way, and was in fact just used as a stepping-stone for someone else.
That would imply that they have no criminal liability, and actions against their systems may not
be justifiable because of their malicious intent. Ivan and John both pointed out that this would
likely be a civil liability issue, not a criminal one, although John mentioned that a law
enforcement agency friendly to the attacked site may very well try to bring criminal charges.
In this scenario, the fact that the victim considering Active Defense is a financial
institution, and therefore may be required to inform the SEC (or other authorities) about the
attack, especially if the attack may be waged by a competitor. A point was made that you had
better do good forensics in a case like this.
Current laws regarding assault only deal with real persons, not computer systems. It is
unclear if laws will adapt to this situation and begin to consider computer systems in terms of
assault or self-defense. Another body of law that may apply is that of industrial espionage (e.g.,
doing harm through theft of intellectual property.) This may most cleanly be defined as
“tortuous interference with various economic activities,” which is a legal remedy.
SUMMARY OF “MISCELLANEOUS COMMENTS & DISCUSSION”
One participant raised the point that online security specialists are required before
certification to read and sign a Code of Ethics that puts the interests of society higher than the
interests of any particular employer. This participant asked how many people in the room were
certified security specialists and received a smaller number of respondents than he had hoped.
A second participant introduced upcoming topics such as active defense in the
international arena; how different organizations might respond differently depending on whether
the organization was a critical care facility, a public safety agency, or a private business; and
preventative or help tools that might be put in place to prevent having to make snap decisions in
an attack situation.
SUMMARY OF INTERNATIONAL LEGAL CONSIDERATIONS
Criminal law is very well defined here in the United States in regards to computer crimes.
Internationally, however, there is very little international law concerning computer intrusions.
Laws concerning computer systems and electronic forms of data and property are quite different
from country to country, if there even are laws concerning these topics. In many countries,
computer data (information) is not considered property at all.
An example given at the workshop was Onel de Guzman9, author of the “I Love You”
virus. Laws in the Philippines at the time de Guzman launched this virus did not consider
computer data to be property, and the Philippines had no laws on their books covering computer
intrusion or damage. The FBI quickly tracked the attack to de Guzman, and had the cooperation
of the Philippines federal police, but when asked by the FBI to arrest de Guzman, courts in the
Philippines could not help. Nothing could be done, despite the significant estimated world wide
damages, which ran into the millions of dollars.
In addition to needing a law under which to bring a criminal action, another requirement
is that the act must be illegal under both jurisdictions for extradition to occur. Going back to the
de Guzman case, he could not be brought back to the US to stand trial because of the same
reason: he did not break any existing Philippine law. (This is known as “dual criminality.”)
Another international legal issue, in situations where dual criminality is not an issue, is in
instances where a foreign government believes that a criminal law in its country has been
violated. If a foreign entity detects the Active Defense actions of an individual, tracks this
9 http://www.infoplease.com/ipa/A0862203.html
individual back and identifies her, and reports it to their federal law enforcement, it may be
investigated as a crime. The foreign government would then issue a warrant for the suspect’s
arrest, serve this warrant on the United States Department of State, which serves it on the FBI,
which then arrests the suspect and prepares to deliver the suspect to the foreign government.
This is a worst-case scenario (for the Active Defender). In the best case, our government refuses
to extradite. The problem here is that one cannot predict which result one will get.
One example here is the “Invita” case10. In this case, the FBI was able to entice two
suspects from Russia to come to the US for an “interview.” During the “interview,” the FBI
obtained an account and password to the suspects’ system in Russia and used this
account/password to do remote forensic data collection. The Russian government issued a
warrant for the FBI agent’s arrest, which the US government chose not to honor. If this agent
were to travel to Russia, or a country with a friendly relationship to Russia, he stands a chance of
being arrested and handed over to the Russian government.
Finally, above and beyond the legal issues of international computer activity, what is of
major concern is the interpretation of these actions by a foreign government. Some countries
would consider an attack on their military command and control networks by an entity that could
be associated with a foreign government’s military as an act of war, and may choose to respond
10 Lawyers slam FBI 'hack', by Robert Lemos, ZDNet News, May 1, 2001
http://barbara.simons.org/lawyers_slam_fbi_hack__1.html
Judge OKs FBI hack of Russian computers, MSNBC, May 30, 2001
http://zdnet.com.com/2100-11-529917.html?legacy=zdnn
'Stung' Russian Hacker Guilty, by Michelle Delio, October 17, 2001
http://www.wired.com/news/politics/0,1283,47650,00.html
militarily. (One example cited was the stated response of Russia to attacks on their military
command and control networks, which is to use force up to and including nuclear weapons.) A
situation where this was an issue was the 1994 Rome Labs11 case involving “Datastream
Cowboy” and “Kuji,” two UK hackers who used systems at Rome Labs as stepping stones to
break into systems at the Korean Atomic Research Institute, to steal data from the Korean system,
and to store it back at Rome Labs. The US military and FBI, who were monitoring the incident
and attempting to track the hackers, were not sure at the time if this host was in South or North
Korea, and feared that North Korea would interpret any U.S. response as an attack by the US
military and would respond as if it were.
SUMMARY OF GENERAL DISCUSSION (2)
The point was made that we are attacked and probed all the time, and an open question
was posed of what intent are these, are they nation state actors, and when would they be
considered an act of war? A participant pointed out that in the military context, the only people
authorized to pull a trigger are people in the military, and that only two people can authorize a
computer network attack: the Secretary of Defense or the President.
A participant asked what would happen if an elite law enforcement force was available
to get involved in any kind of network security incident. Could this force take the necessary
trace-back actions, gather the critical evidence, and call for measures to block a network attack?
(A proposal to this effect was made in 1998 by Stevan Mitchell and Elizabeth Banker in their
11
http://www.ieee-security.org/Cipher/Newsbriefs/1996/960522.GAOrept.html
Harvard Journal of Law and Technology article, “Private Intrusion Response.”12)
The concept of a private industry response to computer network attack is an interesting
one, but a participant brought up a worry the military has of “fratricide.” What would be the
effects of a private active defense response in a situation that was a military attack? If there
actually is a larger scale attack, and the military is assessing the scope of this response and trying
to geo-locate an adversary, could the actions of a private individual inadvertently block the
military and prevent attribution? Would this result in a greater harm because of these actions?
Actions that strike back, from one private entity in Country A to another private entity in
Country B, may leave no other self-help options other than to go through “proper channels.”
There may not be a justifiable right to self defense, or defense of property, in an international
situation. (Of course computer attackers, for many years, have taken advantage of this situation
to make it less likely they will be caught or stopped.)
Another participant made the point that an action against a foreign government requires
Congressional intervention, and cannot be taken by a private individual. However, it may not be
a clear attack by a foreign military adversary as opposed to a foreign private individual. It may
not even be clear if an individual attack is part of something larger and more concerted.
Conversely, an attack that appears to come from a large corporation in the United States (that
happens to be a military contractor) may be interpreted by a foreign government as a military
attack on their infrastructure. (Again, look at the Rome Labs incident).
12
http://jolt.law.harvard.edu/articles/pdf/v11/11HarvJLTech699.pdf
SUMMARY OF DISCUSSION ON “PROTECTING PUBLIC SAFETY”
This portion of the workshop began to focus participants on issues involving attacks on
computer systems where public safety concerns would be significant: medical facilities,
electrical power grids, water systems, governmental communications, etc. The core issue was
whether or not concerns about public safety might provide more justification for active defense
measures.
In the medical facility context, one participant noted that though she was in the minority
at her workplace, she thought “any means necessary” were justified in attack situation if those
means meant protecting patient care. Another participant stated that he did not see how attacking
back in that situation would protect the patients. He also stated that he would not want to be a
patient in a facility where his care was dependent upon data solely on the internet.
A participant asked whether the fact that an attack violated the USA PATRIOT Act13 (or
presumably some other federal or state criminal or civil statute) might not be a part of the
calculation regarding active defense – not that the violation might justify an active defense
response. One of the legal practitioners stated that he did not think a violation of a statute aided
in the self-help calculus because if one could wait for the legal system to act then self-help
through active defense would not be applicable. Active defense is contemplated to be a remedy
when immediate response is required.
13
http://www.epic.org/privacy/terrorism/usapatriot/
Participants discussed the general question of whether a state entity had more limits,
Constitutional restrictions for instance, on its response to an attack and also addressed a related,
converse question: whether a state entity had more remedies at its disposal as compared to
private companies?
The discussion of public safety returned to many of the prior themes the workshop had
discussed, but this time in the context of public agency response. A participant directly involved
in public safety said that the problems of attacks and how to respond to them arose all the time
and that in his opinion there were no clear answers.
In response to this, another person stated that if a state agency was faced with the
question of whether to use active defense measures or not, then the state agency had already
failed the public by failing to ensure that such attacks would not succeed. In response to this, the
resident ethicist said that merely because an agency had been negligent in the past in ensuring its
systems could not be successfully attacked did not negate the question of what to do in the event
of an attack – especially if lives – or public safety – were at stake.
Another participant said that expecting the agency to always be prepared was not realistic
because it was an “arm’s race” where the attackers and the defenders would always be
developing new and more sophisticated ways of attacking and defending.
A representative from the CIA said that agencies should make decisions regarding what
is critical and what is not and that, as at the CIA, critical or classified information should be kept
on a separate network – presumably not on the internet – while other less critical or non-
classified information was on the internet. He suggested this was a procedure that other
governmental agencies, including those in public safety, should use.
The response to this suggestion was that the decision about what goes on the internet and
what might go into a safe, offline intranet would often be made by many people at an agency, not
one, and certainly not one system administrator who might know better what needed protecting.
Kirk Bailey from the City of Seattle then discussed issues he had faced regarding
protecting public safety in an attack scenario. He suggested, first, having a close, good, and
contractually explicit relationship with the ISP. This relationship should include extensive
discussions about attack scenarios and possible responses. He stated that there was motivation
for lack of clarity in contractual relationships because the law is not clear at this point about who
is liable for what in attack and active defense scenarios and that some parties might prefer to
keep it vague rather than make it clear in a contract.
Contractual issues for Network Service Providers (NSPs)
Kirk Bailey described a new type of contractual relationship between customers and
NSPs that is starting to develop around the country. This relationship clearly defines the kinds of
service levels, capabilities, and expectations that surround responding to significant computer
intrusions. Some of these issues include:
Who is responsible within the NSP for tough or time sensitive questions by a customer?
Who can block ever changing attacking IP addresses?
What are the recourses if “bad support” is provided in an attack scenario?
In a general, regional emergency, what is your priority for restoration of service?
Does the NSP have problem escalation procedures? Are they visible to you?
What kind of “extraordinary services” can they provide in an emergency (and how
quickly)? (E.g., IP address agility, block/null route IP addresses, topological changes,
traffic capture and analysis, etc.)
Many of these issues are not openly discussed, because they clearly define liability. Many
vendors and customers simply turn a blind eye, in favor of a vague contract that can be quickly
and easily signed, hoping that courts will handle the problems when and if they come up.
(Essentially betting that the problem won’t happen, much like driving a vehicle without
insurance.) The worst case is that these issues are simply ignored until there is a crisis, at which
point they will be dealt with in a reactive manner. In the long run, this may be the most costly
and most damaging way to deal with the issues. The advice given by workshop participants was
to start talking openly about these issues and begin to resolve them in advance, to minimize any
potential future problems and speed response.
Final thoughts on Active Defense
Building an active defense capability will cost money. You will have to build tools,
practice using them, do research to understand your battle space, know how to identify potential
targets and options for going after them. How much are you willing to spend? What part of your
budget are you taking this money out of? Are you sacrificing something useful on a daily basis
that will improve your security in favor of something that is only used rarely and in extreme
circumstances? (On the other hand, the kind of data collection and analysis required to really
understand the full extent of an intrusion, obtain clues as to who is attacking and how you might
be able to respond with active defense, will also provide the kind of evidence collection
necessary to involve law enforcement and maximize their ability to do their job. You may never
get to the highest levels of active defense, but the steps you take along the path (if done correctly )
can still get a positive result.)
Another issue that was not being directly addressed in the workshop was how will things
change in the near future? What impact will convergence of network technologies have on this
situation? Voice over IP, for example, will entirely change the existing situation where the
“Plain Old Telephone System,” which has some inherent benefits in terms of out- of- band
signaling and a connection- oriented design, can be assumed to be a relatively secure and reliable
means of communication. As convergence occurs, control over the network may decrease in
favor of faster and more flexible network infrastructure engineering. The same voice
transmissions that used to go over POTS lines, now become easily sniffable data packets on a
network with in-band signaling that suffers DoS attack vulnerabilities. Now is the time to ask
questions to make sure that engineering and price concerns don’t outweigh security and
reliability concerns.
What will be the impact of widespread use of encryption, of both data in rest and data in
transit, should encryption become ubiquitous and strong enough to make some attacks less viable.
(Of course denial of service concerns associated with network convergence may mean that
serious attacks will remain a threat, even greater in terms of attacks on availability as opposed to
integrity and confidentiality.)
Yet another issue has to do with meaningful risk assessment, and making choices about
how networks and systems are designed so as to make it tougher for an attacker to get in and do
damage. Segmentation of networks, isolation of critical systems, and other features that result in
a controlled environment, are all required. Risk can be mitigated, but cannot be fully removed.
In discussion of the costs of Active Defense, risk mitigation, and liability, several examples
where cited:
1. The BITS Roundtable14. One of the main Financial Industry organizations, BITS is
going around and talking to CEOs, telling them that they had better clean up their act, or
they are going to take their money somewhere else (and they have a LOT of money to
take somewhere else.)
2. Sarbanes-Oxley15 is already scaring CEOs straight. This legislation mandates that those
who make decisions in publicly- traded companies will be liable. Compliance with
Sarbanes-Oxley must include strategy, policies, and procedures; internal controls need to
be documented, assessed and considered; change control procedures should exist; access
controls should be properly used. Risk cannot be eliminated, but can be mitigated through
14
http://www.bitsinfo.org/
15
Public Comany Accounting Reform and Investor Protection Act
http://www.sarbanes-oxley.com/
a controlled environment.
3. Oxford Health Plans recently agreed to a $300 million settlement for their responsibility
in losing control of an IT upgrade. They lost any ability to tell how much they owed
anybody for anything. This was not framed as a security incident, but sure looks/smells
like one, given other similar stories in the news these days.
4. HIPAA16. Accountability leveled squarely on CIOs and CEOs of Health Care
organizations for unauthorized disclosure of patient information. While not being clear
as to how the data is to be secured, it is clear about liability. One result of this is that
some in the Health Care industry are vacating, the health care industry simply because of
the direct liability they face.
Credits and Thanks
Thanks to Cisco Systems Critical Infrastructure Assurance Group, David Dittrich, Ivan Orton,
John Christiansen, Tom Donohue, Alisha Ritter, Kirk Bailey, Ken Himma, Marc Lampson, and
all the participants from the Agora, local (and distant) businesses, government agencies, and
Universities who attended the workshop.
16
http://www.hipaa.org/