IMMUNIZING THE INTERNET, OR: HOW I LEARNED TO STOP WORRYING AND LOVE THE WORM
In a 1997 exercise, National Security Agency teams hacked into computer systems at four regional military commands and the National Military Command Center and showed that hackers1 could cause large-scale power outages and 911 emergency telephone network overloads.2 The following year, members of the hacker group L0pht Heavy Industries testified before the Senate Committee on Governmental Affairs that it would take them only thirty minutes to render the Internet unusable for the entire nation.3 Maintaining computer network security presents the unique problem of automated attack methods that can compromise millions of systems, all of which share the same vulnerabilities. Cybercrime is becoming easier to carry out, and as society becomes more dependent on the Internet, the risk of a catastrophic attack looms larger. This Note argues that computer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack — one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.4 –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
1 This Note uses the term “hacker” to describe people skilled in the art of breaching computer security systems, whether they do so legally or illegally. 2 Bradley Graham, U.S. Studies New Threat: Cyber Attack, WASH. POST, May 24, 1998, at A1. 3 STEVEN FURNELL, CYBERCRIME: VANDALIZING THE INFORMATION SOCIETY 72–73 (2002). 4 The idea that the architecture of computer systems can be a more powerful regulatory force than law itself is not new. See LAWRENCE LESSIG, CODE 4–8 (1999); Neal Kumar Katyal, Digital Architecture as Crime Control, 112 YALE L.J. 2261 (2003). Professors Lessig and Katyal are generally wary of the regulatory power of code. See LESSIG, supra, at 6 (“This code presents the greatest threat to liberal or libertarian ideals, as well as their greatest promise.”); Katyal, supra, at 2281 (“[W]e should fear the response to cybercrime — private architectures of control — nearly as much as the crimes themselves.”). Professor Katyal argues that allowing the market to minimize crime may occur only at a cost that is too dangerous to bear, id. at 2283, and that direct government regulation of code is a far better solution, id. at 2284–85. Although this Note argues that private responses to computer crime are necessary, it leaves open the possibility of government regulation of those private responses to ensure that they do not threaten “transparency and individual freedom.” Id. at 2284. Finally, this Note argues that, to some extent, what Professor Katyal fears — people becoming wary of entrusting important aspects of their lives to the Internet — is a good thing.
2442
�2006]
IMMUNIZING THE INTERNET
2443
Current federal law, however, does not properly value such strategic goals because it does not treat cybercrime differently from other crime.5 During the Clinton Administration, the President’s Working Group on Unlawful Conduct on the Internet, which included the Attorney General and a number of other officials, stated that “substantive regulation of unlawful conduct . . . should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.”6 As this Note shows, however, prosecution and punishment of computer hackers under current law will ultimately lead to a less secure information infrastructure. Not only does current policy create the wrong incentives regarding cybercrime, it does too little to encourage computer hackers and computer users to contribute actively to Internet security. A more nuanced approach to cybercrime punishment and policy may make the difference in stopping a catastrophic attack. Part I describes how cybercrime differs from other crime, noting that it presents a uniquely grave threat to global security but is also amenable to innovative law enforcement approaches. Part II argues that certain cyberattacks can create security benefits that outweigh the damage they do. Part III proposes several cybercrime policy reforms, including changes in hacking penalties, increased cooperation with hackers, and encouragement of greater user involvement in security. I. WHY CYBERCRIME IS DIFFERENT Cybercrime differs from other crime in important respects, and combating it requires a specialized approach. It is unique in at least two ways: First, it operates within a highly generative system,7 making it more likely to create beneficial effects that outweigh its costs. Second, the perpetrators often possess a particular psychology that makes them amenable to more innovative law enforcement methods. Professor Jonathan Zittrain has drawn the sharpest picture of the importance of generativity, which he describes as a function of leveragability, adaptability, ease of mastery, and accessibility.8 The Internet, he says, is “exceptionally generative” because its architecture –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
5 See PRESIDENT’S WORKING GROUP ON UNLAWFUL CONDUCT ON THE INTERNET, THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET (2000), http://www.usdoj.gov/criminal/cybercrime/unlawful.htm. 6 Id. 7 Although this Note focuses on cybercrime, the principles herein could be applied to any generative system. For example, if biotechnology or nanotechnology were to advance to the point at which commodity hardware could be used by moderately knowledgeable users to produce selfreplicating organisms or nanomachines, the worry of catastrophic attack could prompt policymakers, in punishing related crimes, to adopt an analysis that accounts for the potential benefits of those crimes. 8 Jonathan Zittrain, The Generative Internet, 119 HARV. L. REV. 1974, 1981–82 (2006).
�2444
HARVARD LAW REVIEW
[Vol. 119:2442
solves difficult data distribution problems and is “amenable to a large number of applications,” is “easy to master,” has no “central gatekeeper,” and uses publicly available protocols.9 This generativity allows the Internet to act as a powerful catalyst for the economy, for the arts and sciences, and for free thought. E-commerce now accounts for over ten percent of total U.S. commerce, and that number is increasing.10 Worldwide Internet usage is growing at a prodigious rate, and almost every major corporation and government entity has a significant Internet presence. But the millions of computers connected to the Internet bring with them the threat of cybercrime that can leverage the resources and vulnerabilities of those computers.11 Millions of computers around the world contain security holes, many of them easily fixed, but many also undiscovered.12 These flaws allow hackers to invade systems and take control of their operations, steal and destroy data, and even use those systems for further attacks. The statistics are staggering: the FBI has made a conservative estimate that cybercrime costs more than one-half of one percent of the U.S. gross domestic product.13 Computer security incidents — some of which can cripple huge swaths of the Internet — have been on the rise for years.14 The Internet’s generativity allows attackers to leverage limited resources into massive attacks with ease. In distributed denial-of-service (DDoS) attacks, self-propagating worms take control of vulnerable computers (which are often ordinary personal computers in a home or office with a broadband connection); the attackers then command the computers to flood targeted systems with requests for information, preventing legitimate traffic from getting through.15 Such attacks can overwhelm even the most powerful and well-managed servers.16 Internet worms now use increasingly novel and creative methods to –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Id. at 1987–88. U.S. Dep’t of Commerce, E-Stats 2 (May 11, 2005), http://www.census.gov/eos/www/papers/ 2003/2003finaltext.pdf. 11 See Zittrain, supra note 8, at 2012 (“[T]he fundamental problem arises from generativity . . . .”). 12 Computer systems contain so many critical flaws in part because they are incredibly complex, the software changes rapidly, and there have been few consequences for companies that develop flawed software. See Charles C. Mann, Why Software Is So Bad, TECH. REV., July-Aug. 2002, at 33, available at http://www.technologyreview.com/InfoTech/wtr_12887,300,p1.html. 13 FBI, 2005 FBI COMPUTER CRIME SURVEY 10 (2005), available at http://www.newleaf productions.com/ccs2005.pdf. 14 See Zittrain, supra note 8, at 2011 fig.1. 15 See FURNELL, supra note 3, at 109–11; Gregg Keizer, Dutch Police Crush Big ‘Botnet,’ Arrest Trio, INFO. WEEK, Oct. 10, 2005, http://informationweek.com/story/showArticle.jhtml? articleID=171204550 (describing a “botnet” of 100,000 compromised computers used, among other things, to conduct attacks against a corporation’s website). 16 See FURNELL, supra note 3, at 30–31; David Kleinbard, More Sites Hacked in Wake of Yahoo!, CNN MONEY, Feb. 8, 2000, http://money.cnn.com/2000/02/08/technology/yahoo.
9 10
�2006]
IMMUNIZING THE INTERNET
2445
propagate.17 Moreover, just by searching for new hosts to infect, worms can produce so much traffic that they effectively shut down large parts of the Internet and damage even internal systems, such as ATM and airline reservation networks.18 Even old-fashioned e-mail worms, which rely primarily on user ignorance, can spread to hundreds of thousands of computers.19 The combination of ever more creative hackers, the prevalence of powerful computers and broadband Internet connections, and untrained and apathetic users has created an environment in which damaging attacks on the information infrastructure can be unleashed with ease. The risk of a serious cyberattack by terrorists or a foreign government is greater than ever;20 a cyberattack coordinated with physical attacks could compound the fallout by disrupting communications, distracting the government response, and exacerbating the psychological damage from terrorism. What is more, hacking is becoming increasingly easy.21 Therefore, prosecution of cybercrime has become important not just to law enforcement but also to global security. The structural risks inherent in computer networks, however, make it clear that cybercrime cannot be effectively combated solely with traditional law enforcement tools. Because the Internet’s generativity makes it both extremely valuable and extremely vulnerable to attack, cybercrime can create net benefits. As the next Part explains, cybercrime can expose security –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
17 See, e.g., Ted Bridis, Computer Researchers Warn of Net Attacks, YAHOO! FIN., Mar. 16, 2006, http://biz.yahoo.com/ap/060316/internet_attack.html; Santy Worm Makes Unwelcome Visit, BBC NEWS, Dec. 22, 2004, http://news.bbc.co.uk/1/hi/technology/4117711.stm. 18 See Computer Worm Grounds Flights, Blocks ATMs, CNN.COM, Jan. 26, 2003, http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/index.html (describing the SQL Slammer worm, which caused no permanent system damage but temporarily shut down Bank of America’s ATM network, forced Continental Airlines to cancel and delay flights, and slowed corporate and government networks “to the point of inaccessibility”). 19 See, e.g., SANS Internet Storm Ctr., BlackWorm Summary, http://isc.sans.org/diary.php? storyid=1067 (last updated Feb. 3, 2006). 20 See H.R. REP. NO. 107-609, pt. 1, at 65–66 (2002), reprinted in 2002 U.S.C.C.A.N. 1352, 1355 (“As the United States becomes increasingly dependent on information technology it is also more vulnerable to cyber warfare attack by terrorists.”); ASHTON B. CARTER & WILLIAM J. PERRY, PREVENTIVE DEFENSE: A NEW SECURITY STRATEGY FOR AMERICA 149 (1999) (including in the definition of “catastrophic terrorism” a “cyberattack on the computer systems that increasingly support our society’s vital infrastructure”); WHITE HOUSE, THE NATIONAL STRATEGY TO SECURE CYBERSPACE 6 (2003), available at http://www.whitehouse.gov/pcipb/ cyberspace_strategy.pdf (“Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our Nation’s critical infrastructures, economy, or national security.”); Tom Espiner, Security Experts Lift Lid on Chinese Hack Attacks, ZDNET UK, Nov. 23, 2005, http://news.zdnet.co.uk/internet/security/0,39020375,39237492,00.htm (“Governments will pay anything for control of other governments’ computers.”). 21 See U.S. GEN. ACCOUNTING OFFICE, INFORMATION SECURITY: COMPUTER ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS 15 fig.1.2 (1996), available at http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/1996dod.pdf.
�2446
HARVARD LAW REVIEW
[Vol. 119:2442
flaws that, if fixed, can prevent more devastating future attacks. Other types of crime, such as terrorist attacks or bank robberies, cannot be considered beneficial in the same way that cybercrime might be. Although the 9/11 hijackers exposed security vulnerabilities in the air transportation system, such vulnerabilities are not leverageable in the same way computer network vulnerabilities are — the hijackers could not have easily taken control of many more planes than they actually did.22 Similarly, although a bank robbery could reveal a vulnerability, there is little danger that the security hole would otherwise have been exploited in a catastrophic attack on thousands of banks. Realspace simply is not as generative as the Internet. Cybercrime is also different from other crime because it is amenable to innovative law enforcement approaches that exploit its unique underlying psychology. The objective of a bank robbery is to obtain money. Terrorists usually wish to maximize damage. Cybercrime, however, often provides no financial gain; many cyberattacks seem to originate from a desire for fame and attention or fun and challenge.23 Hackers often cause little to no permanent damage to the systems they successfully penetrate.24 This is true even of many high-profile cyberattacks, in which damage initially appears to be widespread.25 Therefore, cybercrime policy may plausibly be able to encourage hackers to perform less damaging attacks, whereas it is almost completely im–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
22 Admittedly, a much less damaging crime could also have revealed the same security holes. Arguably, however, the biggest hole — the failure to imagine that jetliners could be used as weapons — could have been revealed only through a devastating attack. 23 See FURNELL, supra note 3, at 53; Clive Thompson, The Virus Underground, N.Y. TIMES, Feb. 8, 2004, § 6 (Magazine), at 28 (“When Mario is bored . . . he likes to sit at his laptop and create computer viruses and worms.”). Professor Michael Rustad identifies six Internet subcultures, including retreatists, whose hacking is motivated by thrill-seeking; rebels, for whom hacking is a form of civil disobedience; and nonutilitarian hackers, whose motives include exhibiting technical expertise, retaliation, computer voyeurism, and assertion of a belief in open access to computer systems. Michael L. Rustad, Private Enforcement of Cybercrime on the Electronic Frontier, 11 S. CAL. INTERDISC. L.J. 63, 77–83 (2001). Only one of the subcultures involves hacking for financial gain: “innovators,” many of whom are part of organized cybercrime groups located in Eastern Europe. See id. at 72–76. 24 See FURNELL, supra note 3, at 100–01 (describing objectives such as defacement of materials, theft of information or software, use of systems as cover for other cybercrime, and use of systems as repositories, and noting that outright destruction of content “is unlikely in most cases”). 25 Such attacks have included, for example, defacing web sites and releasing worms that did not destroy data. See FURNELL, supra note 3, at 103–09 (describing defacement of web sites of the U.K. Labour Party, the New York Times, and RSA Security, Inc.); Zittrain, supra note 8, at 2003–05, 2008–09 (describing the Morris worm, which did no permanent damage, and noting that “the overwhelming majority of viruses that followed in the 1990s reflected similar authorial restraint”). The reasons for this phenomenon may include a lack of desire to do harm or the perception that destroying data is not a sufficiently creative payload. See Thompson, supra note 23, at 28 (describing a virus writer who “prefers to create viruses that don’t intentionally wreck data, because simple destruction is too easy”).
�2006]
IMMUNIZING THE INTERNET
2447
plausible that the law could convince bank robbers to take less money.26 These unique aspects of cybercrime and the Internet suggest that a nontraditional response is appropriate. The next Part argues that the law can shape the behavior of many cybercriminals to encourage less destructive attacks that still reveal important security information. Part III uses the concept of beneficial cybercrime to suggest policy reforms. Encouraging beneficial cybercrime is not the only way to secure the Internet, but it is a powerful tool in an area that requires every tool available. II. A NEW MODE OF ANALYSIS: BENEFICIAL CYBERCRIME The possibility that a small group with few resources could leverage the generative power of the Internet to do enormous amounts of damage makes securing the Internet of utmost importance. For that reason, certain kinds of cybercrime are actually beneficial because they call attention to security risks, spurring fixes and other precautions that will prevent more damaging future attacks. Such crime, of course, can be considered net beneficial only if the damage caused is less than the probable discounted damage from the future attacks that would have occurred had the security hole not been fixed.27 Judge Richard Posner argues that cost-benefit analysis is “an indispensable step” in making policy concerning catastrophic risks, noting that “[e]ffective responses to most catastrophic risks are likely to be extremely costly, and it would be mad to adopt such responses without an effort to estimate the costs and benefits.”28 In the realm of cyberterrorism, however, effective responses may be very cheap compared to the possible risks. This Note proposes several responses that would reduce the risk of catastrophic cybercrime, incur relatively little –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
26 Admittedly, the law does try to deter bank robbers from hurting bystanders through grading and the felony murder rule. See, e.g., U.S. SENTENCING GUIDELINES MANUAL § 2B3.1(b)(2)– (3), (c) (2005). Sentencing rules for robbery do take the size of loss into account, see, e.g., id. § 2B3.1(b)(7), but the point is that the object of robbery — to take money — is directly correlated with loss, whereas the object of much cybercrime is less so. 27 Therefore, “beneficial” as used in this Note refers to a cost-benefit analysis of some sort. Although the costs and benefits can be difficult to estimate, see RICHARD A. POSNER, CATASTROPHE: RISK AND RESPONSE 171–75 (2004), it is possible to estimate ranges of costs and benefits, which can assist in decisionmaking, id. at 173. See also id. at 175–87 (describing methods to cope with uncertainty, including information markets, inverse cost-benefit analysis, the tolerable-windows approach, and risk-risk assessment). 28 Id. at 139. Judge Posner considers cyberterrorism a possibly catastrophic risk but notes that “at present [computer viruses] are more a nuisance than a serious problem.” Id. at 85. Professor Cass Sunstein’s Anti-Catastrophe Principle, according to which “a large margin of safety makes a great deal of sense” when the “worst-case scenario is truly catastrophic and when probabilities cannot be assigned,” logically applies to cybercrime as well. CASS R. SUNSTEIN, LAWS OF FEAR 115 (2005).
�2448
HARVARD LAW REVIEW
[Vol. 119:2442
cost, and possibly even reduce the damage sustained from noncatastrophic cybercrime.29 There are two ways in which crime can help increase cyberspace security: by raising awareness about security holes30 and by encouraging general security improvements and basic research. Crime That Raises Awareness of Security Holes. Perhaps the most beneficial cybercrimes are attacks that unveil previously unknown security vulnerabilities. Malicious hackers continually search for undiscovered (and therefore unpatched) vulnerabilities to exploit. It is even conceivable that foreign militaries and terrorists are hoarding multiple vulnerabilities, creating an array of worms and viruses that can be unleashed in a single, cataclysmic attack. When an undiscovered security hole is revealed through an attack, the event is known as a “zero-day exploit.”31 In many of these cases, the hacker exploiting the vulnerability is also the first person to have discovered it. If the attack is detected, there is a benefit: the owners and producers of vulnerable systems will learn of the vulnerability and work to patch it. Of course, there is a cost as well: the damage caused by the attack. Security holes revealed in this way do not always have to be discovered in specific hardware or software. For example, some of the most famous and destructive e-mail viruses exploited a system design flaw in combination with a distinctly human flaw: that people had the ability and desire to open attachments to enticingly named e-mails — in one notorious example, one that said “ILOVEYOU.”32 Such ex–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
29 Judge Posner identifies several problems that could cause underinvestment in risk reduction. See POSNER, supra note 27, at 92–138 (discussing the problems of scientific illiteracy, misuse of science, limited horizons, psychology, global decentralization, and public choice). 30 This Note assumes that disclosure of security vulnerabilities is generally a better policy than secrecy. Professor Peter Swire identifies several variables and assumptions that bear on the validity of this premise. Peter P. Swire, A Model for When Disclosure Helps Security: What Is Different About Computer and Network Security?, in THE LAW AND ECONOMICS OF CYBERSECURITY 29, 39–41 (Mark F. Grady & Francesco Parisi eds., 2006). Although he does not take a definitive stance on which policy is better, Professor Swire notes that in the realm of computer security, the combination of cheap, automated attack methods and easy communication among attackers makes it more likely that obscurity is a poor method of defense. Id. A crime that reveals security information can be preferable to no crime. 31 SearchSecurity.com, Zero-Day Exploit, http://searchsecurity.techtarget.com/sDefinition/0,, sid14_gci955554,00.html (last updated Dec. 1, 2005). Although the term can refer to vulnerabilities that are disclosed and later exploited the same day, it also includes vulnerabilities that the malicious hacker discovered first — in other words, the exploit is the disclosure. In some cases, a vendor may know about a vulnerability “before an exploit is created or before the vulnerability is disclosed publicly.” Tony Bradley, Zero Day Exploits: Holy Grail of the Malicious Hacker, ABOUT.COM, http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm (last visited May 13, 2006). In such a case, an attack should be considered one that publicizes a known security hole as analyzed infra p. 2449. 32 This virus, known popularly as the “Love Bug,” was estimated to have caused at least $7 billion in damage. See FURNELL, supra note 3, at 159–63. Preying on user ignorance continues
�2006]
IMMUNIZING THE INTERNET
2449
ploits are dangerous because vendors and security analysts spend less time looking for them and because it is much harder to “patch” a person than a computer.33 Even an attack that exploits a known security hole, and thus does not yield the benefit of revealing a new vulnerability, can be beneficial by prompting users and vendors to patch the hole. Known but unpatched vulnerabilities, after all, can be just as dangerous as unknown vulnerabilities. Many of the most damaging viruses and worms have exploited vulnerabilities for which a patch or other countermeasure had been available for months or even years, relying on the negligence of users who fail to apply the patches.34 Attacks prompt responses from both users and vendors. Owners of compromised machines will notice degraded performance and attempt to fix the hole, and a widespread attack generates media reports that prompt even unaffected users to ensure their patches are up-to-date. Vendors pay more attention to fixing vulnerabilities that are actively being exploited.35 Attacks can also prompt vendors to cooperate more effectively with users in distributing and applying patches.36 –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
to prove effective. See Marsha Walton, New Worm Relies on Old Trick, CNN. COM, Feb. 2, 2006, http://www.cnn.com/2006/TECH/internet/01/31/kamasutraworm/index.html. 33 Arguably there is no way to patch such human vulnerabilities in a technological sense. See Walton, supra note 32. But the obvious nontechnological patch is user training, and a more indirect technological patch does exist: a redesign of the system that makes it harder for users to shoot themselves in the foot. For example, email programs could by default not allow users to open attachments that are executable or warn them of the dangers of doing so. 34 See, e.g., Anne Kandra & Andrew Brandt, The Great American Privacy Makeover, PC WORLD, Nov. 2003, at 144, 150–52, available at http://www.pcworld.com/reviews/article/0,aid, 112468,pg,3,00.asp (“While 83 percent of our survey group said they use an antivirus application, only 73 percent update their [virus] definition files regularly. . . . [O]nly about 63 percent of survey takers [keep up with new software versions and install security patches].”); ‘Code Red’ Computer Worm Targets White House, CNN.COM, July 20, 2001, http://archives.cnn.com/2001/TECH/ internet/07/20/code.red.worm (describing the Code Red worm, for which a patch was available, and noting that “even the most meticulous system administrators have a hard time keeping up with all the patches and fixes necessary”); Sasser Net Worm Affects Millions, BBC NEWS, http://news.bbc.co.uk/1/hi/technology/3682537.stm (last updated May 4, 2004) (describing the Sasser worm’s infection of millions of personal computers using a security hole for which a patch was available). 35 See Peter Galli, Windows vs. Linux: Think Patch Quality, Not Quantity, EWEEK.COM, Jan. 11, 2006, http://www.eweek.com/article2/0,1895,1909747,00.asp (“Red Hat made fixes for every [critical vulnerability] available to customers . . . within two days of the vulnerabilities being know to the public, with 87 percent of them being available the first day.”); Brian Krebs, A Time To Patch, Jan. 11, 2006, http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m. html (“Last Thursday, Microsoft released a patch to fix a . . . 0day (‘zero day’) vulnerability for which an exploit was publicly disclosed . . . [in] just 10 days . . . .”). 36 See MICROSOFT CORP., 2005 GLOBAL CITIZENSHIP REPORT 21 (2005), available at http://www.microsoft.com/citizenship/default.mspx (“[W]orms and viruses were causing tremendous damage because [security] updates weren’t being implemented. . . . The first step was to encourage more people to use a service . . . [that] automatically downloads critical software updates from Microsoft whenever a user establishes an Internet connection.”).
�2450
HARVARD LAW REVIEW
[Vol. 119:2442
Moreover, media coverage and user complaints can prompt vendors to take action; without such attacks, vendors would probably be more complacent. Crime That Prompts General Security Improvements. Cybercrime also has the potential to spur market solutions to security problems. Ideally, users would make purchasing decisions based on perfect information about product security. Such information can be provided accurately only through the real-world testing that occurs in the case of actual attacks. Users who are dissatisfied with the number of vulnerabilities or with the speed and ease with which they are patched will naturally shift to different vendors or even to wholly different communications methods.37 For example, millions of Microsoft Internet Explorer users have switched to Mozilla Firefox, many for security reasons.38 Security concerns can even convince people to change operating systems.39 Such market activity in turn prompts vendors to improve their design and support processes.40 Because the Internet was originally created for a closed group of trusted users, it was not designed with today’s security threats in mind.41 It was “designed to be ‘open,’ with distributed control and mutual trust among users.”42 The new ubiquity of the Internet, however, has eroded the security bulwarks that protected the early Internet.43 The new threats the Internet faces underscore the importance of refocusing system design methods on increasing robustness. A few initiatives have already begun the process: IPv6 is a redesign of the basic protocol upon which the entire Internet runs, offering new security features and the promise of a “long-term evolution to new security para–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
37 Security flaws are not always vendor-specific; often the flaw is with the standardized protocol underlying the system, which can be common to many vendors. See, e.g., Marguerite Reardon, VPN Flaw Threatens Internet Traffic, CNET NEWS.COM, Nov. 14, 2005, http:// news.com.com/VPN+flaw+threatens+Internet+traffic/2100-1002_3-5951916.html?tag=nefd.top. 38 See Michelle Delio, Mozilla Feeds on Rival’s Woes, WIRED NEWS, July 2, 2004, http://www.wired.com/news/infostructure/0,1377,64065,00.html; Firefox: Take Back the Web, http://www.switch2firefox.com/press (last visited May 13, 2006). 39 See Steven J. Vaughan-Nichols, XP SP2 Gives Reasons To Switch to Linux, EWEEK.COM, Aug. 26, 2004, http://www.eweek.com/article2/0,1759,1640069,00.asp; cf. Thompson, supra note 23, at 32 (“By relying so exclusively on Microsoft products, virus authors say, we have created a digital monoculture, a dangerous thinning of the Internet’s gene pool.”). 40 See, e.g., Microsoft Corp., A Trustworthy Vision for Computing, http://www.microsoft.com/ mscorp/twc/overview.mspx (last visited May 13, 2006) (“[M]any people still are hesitant to entrust [computers] with their lives . . . . Microsoft’s response to this lack of confidence is the Trustworthy Computing Initiative.”). 41 Internet Security and Privacy: Hearing Before the S. Comm. on the Judiciary, 106th Cong. 40 (2000) (statement of Richard Pethia, Director of Computer Emergency Response Team Coordination Center). 42 Id. 43 See Zittrain, supra note 8, at 2008–10.
�2006]
IMMUNIZING THE INTERNET
2451
digms.”44 Advances in authentication and encryption schemes are also changing the assumptions upon which the Internet is built. Internet routers can now filter traffic to prevent DDoS attacks and raise alerts about suspicious traffic.45 Software vendors now build automatic updates and patches into their software. Some researchers have proposed methods to allow “vaccines” to leapfrog and contain the propagation of viruses.46 Researchers have even theorized about artificial intelligences that could help repulse an attack on computer networks.47 The constant barrage of cyberattacks has prompted users to adopt a wide variety of practices that improve the integrity of the Internet. Firewalls provide broad protection against general attack methods, including unforeseen ones. Antivirus and antispyware software provide specific protection against known threats. Large organizations now undertake regular security audits and provide computer security training to employees.48 They also turn off unnecessary features of computer operating systems and lock down systems to prevent users from installing or inadvertently running unapproved, potentially dangerous software.49 Some corporations have diversified their computing assets, helping to ensure that no single vulnerability can bring every system down.50 Finally, the threats posed by cybercrime can prompt even more fundamental structural changes. For example, some organizations have made large investments to build and maintain alternative networks that are insulated from the Internet. The Internet2 consortium has created the Abilene network, a high-performance backbone net–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
44 U.S. DEP’T OF COMMERCE, TECHNICAL AND ECONOMIC ASSESSMENT OF INTERNET PROTOCOL VERSION 6 (IPV6), at 37 (2006), available at http://www.ntia.doc.gov/ ntiahome/ntiageneral/ipv6/final/ipv6final.pdf. But see id. at 37–39 (describing ways in which IPv6 may actually reduce security). 45 STUART BIEGEL, BEYOND OUR CONTROL? CONFRONTING THE LIMITS OF OUR LEGAL SYSTEM IN THE AGE OF CYBERSPACE 252 (2001). 46 See Jacob Goldenberg et al., Distributive Immunization of Networks Against Viruses Using the ‘Honey-Pot’ Architecture, 1 NATURE PHYSICS 184, 184 (2005). 47 See Mitchell S. Ross, An Application of Artificial Intelligence To Provide Strategic Warning to an Information Warfare Attack Against National Information Infrastructures (Mar. 3, 1997), http://www.carlisle.army.mil/usacsl/divisions/std/branches/keg/97TermII/maai.htm. But cf. TERMINATOR 3: RISE OF THE MACHINES (Warner Bros. 2003) (envisioning an artificial intelligence that is released to destroy a computer virus but instead commences thermonuclear war against humans). 48 See Tom Dodds & Ken Pfeil, Microsoft Corp., Security Considerations for End Systems, http://www.microsoft.com/technet/Security/bestprac/bpent/sec2/sconsid.mspx (last visited May 13, 2006). 49 See id. 50 See, e.g., Netcraft, Example Site 1 — www.apple.com, http://uptime.netcraft.com/up/graph (last visited May 13, 2006) (noting that between 1999 and 2001, www.apple.com used “more than one type of Operating System . . . in parallel”).
�2452
HARVARD LAW REVIEW
[Vol. 119:2442
work to which only Internet2 members may connect.51 The consortium uses Abilene to perform research on new technologies, and the network’s semiprivate nature ensures that members can insulate some systems from regular Internet traffic. A massive DDoS attack on the Internet would affect Abilene traffic only if part of the attack originated from an Internet2 member. In summary, cybercrime keeps Internet users on their toes: it makes security flaws salient, which prompts patching and improves market information. That information in turn drives the adoption of more secure technologies and practices. III. INNOVATIVE SOLUTIONS FOR A GENERATIVE SYSTEM Current federal law does not properly take into account the possibility of beneficial cybercrime because it does not differentiate between cybercrime and other types of crime. The primary rationale for this equivalence involves the substitution effect: “that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower.”52 Such reasoning ignores the central insight of this Note: crimes that cause minimal damage relative to how much they increase security awareness are beneficial. Engineering punishments to steer criminals toward more beneficial crime would actually be optimal. Furthermore, the notion that crimes in realspace and cyberspace are easily or even feasibly substitutable is often ludicrous: a bank robber is unlikely to switch to writing worms that offer no financial gain just because he will receive less punishment. Current policy also does not sufficiently take into account the importance of hackers and users in securing the Internet. Hackers are an incredibly valuable resource for security knowledge, and cybercrime policy should take pains to encourage their cooperation and to avoid alienating them. Internet users, on the other hand, are perhaps not dealt with harshly enough; ultimately, the only way to secure the Internet is to ensure that these users secure their systems. This Part suggests several reforms that concern punishment, the role of hackers in the quest for security, and methods to force users to take more active responsibility for their systems. The reforms suggested have several advantages over current policy: they tap the creative energy of a vast network of underground hackers, they force users and vendors to respond in beneficial ways that government policy would be unable to force directly, and they spread costs to those who value security, including the private sector and foreign countries. –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
51 52
Abilene FAQ, http://abilene.internet2.edu/about/faq.html (last visited May 13, 2006). Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1005 (2001).
�2006]
IMMUNIZING THE INTERNET
2453
A. Punishment One thing is clear: beneficial cybercrime should not be overdeterred — it should actually be encouraged. Of course, the line between beneficial and nonbeneficial cybercrime is hazy, but it is possible to identify factors that indicate a crime is likely to be beneficial. In arguing that such factors should affect cybercrime policy, this Note assumes that adjusting punishment has at least a marginal effect on deterrence53 and that the primary goals of punishment are instrumental.54 The benefits, however, may be so attenuated and uncertain that little to no change from current law is warranted. At the very least, though, efforts to increase penalties for cybercrime should be evaluated using this cost-benefit framework.55 The current U.S. Sentencing Guidelines do not sufficiently take instrumental concerns into account. The Guidelines primarily concern economic crimes in general, with few cybercrime-specific provisions. If policymakers decide that instrumental concerns about immunizing the Internet necessitate a redesign of cybercrime policy, the problem becomes one of outlining the principles by which cybercrime is to be judged as beneficial. Three principles should underlie such a judgment: measurement of damage, marginal deterrence, and nature of the exploitation. 1. Measurement of Damage. — The measure of damage used in a cost-benefit analysis of cybercrime is more nuanced than current law provides. When the U.S. Sentencing Commission last amended the Guidelines applicable to cybercrime, it defined actual loss as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, pro-
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
53 Deterrence analysis is quite complex, and many of its claims are open to debate. See, e.g., Tracey L. Meares et al., Updating the Study of Punishment, 56 STAN. L. REV. 1171 (2004); Paul H. Robinson & John M. Darley, The Role of Deterrence in the Formulation of Criminal Law Rules: At Its Worst When Doing Its Best, 91 GEO. L.J. 949 (2003). 54 Other punishment objectives may also support the approach suggested in this Note. Incapacitation may be of lesser concern because, as section III.B argues, a system of creative sentencing could encourage cybercriminals to contribute to security rather than simply deny them access to computers. In addition, hackers seem more amenable to rehabilitation than other types of criminals, possibly because hackers can more easily transition to legitimate activities. See, e.g., FURNELL, supra note 3, at 70–71 (describing a hacker group called Legion of Doom, some members of which formed a security firm after a government crackdown); id. at 82–91, 225–29 (describing the hackers Cap’n Crunch, Kevin Mitnick, and Kevin Poulsen, all of whom pursued legitimate job opportunities in the security field after prison time). 55 For an example of an overly simplistic cost-benefit analysis reaching the wrong result, see Steven E. Landsburg, Feed the Worms Who Write Worms to the Worms, SLATE, May 26, 2004, http://www.slate.com/?id=2101297&, which argues that authors of computer worms should be subject to the death penalty.
�2454
HARVARD LAW REVIEW
[Vol. 119:2442
gram, system, or information to its condition prior to the offense, and any . . . damages incurred because of interruption of service.”56 This measure of loss is overinclusive, however, because much of the cost of restoring system integrity is money that one should reasonably expect users to spend anyway. Whenever security flaws are discovered, users spend time and money to patch them, regardless of whether their systems have been attacked. Yet these same costs, when borne by the actual victim of a breach, count as losses under the current Guidelines even when the hacked system suffers no damage.57 It is as if a mere trespasser who entered a doorway with no lock were held liable for the cost of installing a lock afterwards. Crime that does very little damage may not be noticeable by all parties involved, however, erasing some of the benefits. For example, many worms can compromise machines without the users even noticing; groups of such machines are then used in DDoS attacks.58 If the worms do no noticeable damage to the compromised machines themselves, the owners may never remove the worms and patch the security holes. Therefore, some minimal damage may actually increase the crime’s benefit.59 Ideally, the worm would alert the user of the machine that he is vulnerable without causing permanent damage. For example, a large, flashing message mocking the user for his incompetence would do the trick.60 2. Marginal Deterrence. — Because the most beneficial attacks are those that reveal the most information about potentially dangerous security flaws while causing the least damage, it is important to ensure a large gulf in punishment between attacks that reach their full destructive potential and those that do not. For example, if the security hole –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
U.S. SENTENCING GUIDELINES MANUAL § 2B1.1 cmt. 3(A)(v)(III) (2005). Such costs would probably fall under the phrase “cost of responding to an offense.” Id.; cf. Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935–36 (9th Cir. 2004) (rejecting the defendant’s argument that damages could not be assessed for routine maintenance and upgrades that the plaintiff would have needed to perform in any case). In some cases of unauthorized access to computer systems, the damage caused is not just the breach but also the cost of cleaning up and ensuring that the hacker did not maliciously alter the system. Such security audits are common after sophisticated, directed attacks on specific systems. However, in cases in which thousands or millions of computers are breached, the attack is necessarily an automated attack with a known payload. In such cases, the payload usually does the exact same thing to each system breached, and researchers can create automated cleanup programs that can quickly and easily restore the integrity of the systems affected. 58 See FURNELL, supra note 3, at 110 (“[T]he sites hosting the daemons [used in DDoS attacks] typically do so unwittingly, the programs having been installed via stealth methods.”). 59 There are other benefits. Other parties affected, such as the network providers and the site targeted by the DDoS attack, will take protective measures, and there may also be media attention focused on the vulnerability exploited. 60 See Thompson, supra note 23, at 31 (describing a virus that simply displays a picture of a raised middle finger and a virus that displays two artificial intelligence chat-agents debating whether they will be caught by antivirus software).
56 57
�2006]
IMMUNIZING THE INTERNET
2455
exploited in an attack gives the attacker the ability to execute arbitrary code with full administrative privileges, the potential for damage is great: he can steal or destroy any data on the system and use the system itself for a self-propagating attack. The attacker may choose not to do so, however; he may choose instead simply to create a worm that self-propagates but does not destroy any data. In fact, a “benevolent” worm could even close the security hole behind it.61 Punishments should encourage attacks that fall shortest of their full destructive potential, at the very least by taking into account the gap between potential and actual damage during sentencing. Current law only minimally reflects concerns over marginal deterrence. The Guidelines specify an increase in offense level that ranges from zero for losses less than $5000 to thirty for losses greater than $400 million,62 but they do not take account of the difference between actual and potential damage.63 As discussed above, however, any moderately widespread attack will almost certainly create massive losses (as measured under the Guidelines) because of the large number of users who will have to patch the hole. Many crimes that might be considered beneficial under the measures discussed in Part II would quickly blow through the loss brackets in the Guidelines. And at that point, there is no possibility of marginal deterrence, and an attacker might decide that it is worth the glory to create damage well beyond $400 million. Therefore, a redesigned system could exempt the cost of patching a vulnerability from the measure of loss. A redesign might also increase the high end of the Guidelines and the statutory maximums so that sentencing levels increase as damage increases beyond $400 million. 3. Nature of the Exploitation. — The current Guidelines increase the sentence if the offense involves “a computer system used to maintain or operate a critical infrastructure.”64 Such a differential is justified if the vulnerability exploited is common to many systems: if crime –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
61 A worm named Welchia spread using the security hole exploited by the earlier Blaster worm, but after entering a computer system it downloaded a patch for the hole. See New Internet Worm Tries To Patch Windows Hole, USA TODAY, Aug. 19, 2003, http://www.usatoday.com/ tech/news/computersecurity/2003-08-19-good-worm_x.htm. Arguably, such worms are damaging simply because they create excess network traffic and can cause computers to reboot, but the question remains whether the benefits, which may not be immediate, outweigh the costs. See, e.g., Celeste Biever, Turning the Worm Secures the Computer, NEW SCIENTIST, Feb. 4, 2006, at 32 (describing a beneficial worm that spreads with restraint). 62 For a first-time offender, the base offense level of six, U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(a)(2) (2005), carries a sentence of zero to six months, whereas an offense level of thirty-six carries a sentence of 188 to 235 months. See id. § 5A tbl. That sentence, however, is limited by the statutory maximum, which in most cases ranges from one to twenty years. See 18 U.S.C. § 1030(c) (2000 & Supp. II 2002). 63 U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(1). 64 Id. § 2B1.1(b)(14)(A)(i).
�2456
HARVARD LAW REVIEW
[Vol. 119:2442
is beneficial for revealing security flaws, attacks on less-critical systems are generally preferable because the flaw is revealed without actually exposing the critical system to risk.65 However, if the vulnerability exploited is specific to a system operating critical infrastructure, then the differential is illogical: the benefit can be realized only through an attack on that system. Securing such systems is of primary importance, and an attack on such a system that does little damage but reveals important security information is therefore desirable.66 The current Guidelines also base sentences on the number of victims.67 The most dangerous vulnerabilities, however, are those that are widespread. Additionally, the only ways many users learn of vulnerabilities is either through being attacked or through heavily circulated media accounts of particularly notable attacks. Therefore, a wide-ranging attack can be more beneficial than a relatively limited one. A redesigned system might reduce or eliminate the importance of this factor or at least make its application more nuanced. Finally, as discussed above, an attack’s benefits generally correlate with its novelty. Exploitation of a known security hole usually offers little benefit beyond raising awareness. A novel attack, however, reveals much more valuable information that could preempt a more damaging surprise attack. Therefore, a redesigned system might punish attacks that are novel more lightly, and punish attacks that are not novel more harshly. In summary, under the view that the damage from an attack is worth the attendant boost in immunity and reduction of the risk of a catastrophic attack, some crimes (for example, those that affect a large number of people but do little damage to each) are overdeterred, and some crimes (for example, those that are not novel) are underdeterred.68 B. The Role of Hackers: A Proliferation of Hat Colors
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.69
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
65 This argument assumes that operators of critical systems pay attention to attacks on similar, less-critical systems and take steps to patch vulnerabilities before being attacked themselves. 66 Such attacks are not as unlikely as they may seem, due to the unique psychology of hacking and the lure of such challenges. See supra p. 2446. 67 U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(2). 68 To the extent that cybercrime may be harder to detect and investigate than other crimes, however, it is possible that cybercrime is already somewhat underdeterred. 69 The Mentor, The Conscience of a Hacker, PHRACK INC., Jan. 8, 1986, Vol. 1, Issue 7, at phile 3, http://www.phrack.org/archives/phrack07.tar.gz.
�2006]
IMMUNIZING THE INTERNET
2457
Hackers have always played a dual role in the development of the Internet. As Robert Steele puts it, hackers “see[] the dangers, the vulnerabilities, the shoddy, unethical, inappropriate business behavior by communications and computing companies. . . . And everyone wants to shoot the messenger.”70 Steele argues that hackers are a national resource but that governments around the world consider them “pathological scum” because they do not understand hackers and the environment in which they operate.71 But whether one sees hackers as good or evil, there is no denying that they can provide vital information about vulnerabilities in the infrastructure. And unless one believes that terrorists and hostile nations do not employ their own hackers, it is clear that they are a resource that should be exploited. This Note does not argue that hackers should not be prosecuted. It argues merely that cybercrime policy should be reshaped to encourage hackers to move closer to the “white hat” hacker model — disclosing security holes responsibly, working with vendors to fix such holes quickly, and cooperating with law enforcement.72 Cybercrime policy should give hackers incentives to make their attacks benign; when hackers are caught, that same policy should give them incentives to turn to legitimate activities, even while incarcerated. Finally, those convicted of conducting the most destructive attacks should receive the harshest punishments. Although the law should encourage movement toward the white hat model, some activity that is currently illegal may be necessary if society is to maximize the benefit from cybercrime. A possible objection to recognizing the benefits of cybercrime is that organizations could instead rely on white hats to test their security; white hats would offer comparable information while operating transparently, responsibly, and without causing damage. This approach clearly offers advantages, but to the extent that the United States has reason to fear a truly catastrophic attack, white hats must be only one part of a broader strategy. White hats cannot ethically invade the computer systems of users who have not invited them to do so, meaning that they can provide only the first of the benefits enumerated in section III.A — unveiling of security holes.73 The very users whose systems are most at –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
70 Frontline, Are Hackers Outlaws or Watchdogs?, http://www.pbs.org/wgbh/pages/frontline/ shows/hackers/whoare/outlaws.html (last visited May 13, 2006) (interview with Robert Steele). 71 Id. 72 Cooperation on some level already exists. Some virus writers claim that upon finishing a virus, they immediately e-mail a copy of it to antivirus companies. See Thompson, supra note 23, at 72. They thus claim that “their virus-writing strengthens the ‘immune system’ of the Internet.” Id. 73 Judge Posner argues that malicious hackers should be given harsh sentences, noting that if they are deterred, “they will become lawful computer programmers — perhaps specializing in making computers more secure against viruses!” POSNER, supra note 27, at 244. He fails to real-
�2458
HARVARD LAW REVIEW
[Vol. 119:2442
risk of being hijacked for nefarious purposes — the most negligent or ignorant users — are the ones least likely to invite a white hat to do a security audit.74 Cybercrime policy must also take into account the social dynamic of the hacker community. Alienating the hacker community by providing insufficient safe harbors and dealing with hackers in an insensitive or heavy-handed manner threatens security. Angry or disillusioned hackers may disclose vulnerabilities irresponsibly, refuse to help create patches, or even engage in attacks themselves. Others may leave the business altogether. Ensuring that U.S. security expertise is on the cutting edge requires preserving an adversarial but respectful dynamic between hackers, engineers, and law enforcement. Instead of taking a hard-line approach with hackers working at what are now considered the bounds of legitimate behavior, the law should provide them with greater freedom and incentives to cooperate in the quest for a more secure information infrastructure. To encourage cooperation from hackers, corporations and government officials must take a softer approach. Existing law could be amended or interpreted to allow hackers greater freedom to test systems for security vulnerabilities. For example, at least one court has held that a port scan — a method for finding security weaknesses that does not involve any actual breach of security — was not actionable under state or federal law partly because the costs of investigating the scan did not fit within the statutory damage definition.75 Indeed, although punishment can be optimized to encourage beneficial cybercrime, rewards may also entice hackers to help secure the information infrastructure. Cash incentives could encourage some hackers to discontinue harmful activity and instead provide information and guidance about the security vulnerabilities they have been exploiting.76 Statutory safeguards against prosecution for past crimes could encourage hackers to come forward. Alternatively, a system for anonymous information sharing or even informal use of informants –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
ize, however, the possibility that “black hat” hackers can provide benefits that white hat hackers cannot. Judge Posner also elides the difficulty in drawing the line that defines legal and illegal hacking activity. 74 Although the most important targets, such as government, military, and corporate users, are likely to have professional security staff, hackers often launch attacks against these targets by using ordinary, privately owned personal computers that may not receive sufficient attention from their owners. See supra p. 2444. 75 See Moulton v. VC3, No. 1:00CV434-TWT, 2000 WL 33310901, at *6 (N.D. Ga. Nov. 7, 2000). 76 Many hackers generate no income from their activities, and of those who do, at least some could be swayed by modest cash rewards. See Brian Krebs, Invasion of the Computer Snatchers, WASH. POST, Feb. 19, 2006 (Magazine), at 10, 12 (describing a hacker employed for only a moderate salary).
�2006]
IMMUNIZING THE INTERNET
2459
could be encouraged. Any such effort, however, must be sensitive to a hacker subculture that may take pride in defying authority. Hackers should also be given incentives to reveal the security vulnerabilities they find in a responsible manner. In many cases, hackers simply want recognition for their discoveries,77 which they might otherwise get only by publicizing a flaw before a patch is available. In a promising sign, the data networking vendor 3Com recently created a “Zero Day Initiative,” which encourages responsible disclosure of security flaws by promising hackers who keep flaws confidential that they will be recognized after the flaw has been fixed.78 The government and the private sector should invite hackers to help conduct security exercises. Security experts often engage in “Red Teaming,” in which a team simulates an attack on a specified target. The purpose of the exercise is to identify system vulnerabilities and the methods by which an enemy is likely to exploit them. The government has taken a few steps in this direction;79 such programs could be expanded to include more realistic situations by inviting hackers to think like the enemy and attempt attacks on a designated target.80 Successful participants should be rewarded with recognition, money, or both. Creative punishment could provide benefits beyond simple deterrence and incapacitation. Even if a hacker is captured and prosecuted only long after the exploited vulnerability has been patched, the hacker may be able to provide valuable information about related vulnerabilities.81 Federal prosecutors and judges, however, have little discretion to induce such cooperation.82 In other words, the justice –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
77 See John Walko, 3Com Initiative Sets the Clock Back on Zero Day Security Attacks, EE TIMES, July 25, 2005, http://www.eetimes.com/showArticle.jhtml?articleID=166402117. 78 Id.; 3Com, Zero Day Initiative, http://www.zerodayinitiative.com (last visited May 13, 2006). 79 See Michael Arnone, DHS To Run Cybersecurity Exercise, FCW.COM, Jan. 31, 2006, http://www.fcw.com/article92160-01-31-06-Web&RSS=yes#related; ‘Cyber Storm’ Tests US Defences, BBC NEWS, Feb. 12, 2006, http://news.bbc.co.uk/1/hi/world/americas/4706316.stm. 80 See, e.g., SANS Inst., SANS Network Security 2002, SANS 9th ID-Net, http://www. sans.org/NS2002/idnet.php (last visited May 13, 2006) (describing a hacking competition in which “those who have done the most damage [to a designated network] win”). 81 For example, Microsoft software has recently been affected by a string of attacks exploiting flaws related to its Windows Meta File (WMF) technology. Microsoft issued a patch for the original security hole, but the patch did not fix vulnerabilities in other software that relied on WMF. A few weeks later, Microsoft issued a warning about a flaw in its web browser related to the original WMF flaw. Elizabeth Millard, Microsoft Warns of New WMF Vulnerability, NEWSFACTOR MAG. ONLINE, Feb. 8, 2006, http://www.newsfactor.com/story.xhtml? story_id=41503. If the person who discovered the flaw had initiated the first attack and was caught, he would probably have been able to help Microsoft ferret out other vulnerabilities related to WMF. 82 Department of Justice policy generally requires prosecutors to seek sentences within the Guidelines, see Memorandum from James B. Comey, Deputy Attorney Gen., U.S. Dep’t of Justice, to All Federal Prosecutors (Jan. 28, 2005), available at http://sentencing.typepad.com/ sentencing_law_and_policy/files/dag_jan_28_comey_memo_on_booker.pdf, which allow for de-
�2460
HARVARD LAW REVIEW
[Vol. 119:2442
system operates on a narrow view of punishment’s purposes that does not take into account the broader goal of creating a more secure infrastructure.83 The reality is that the United States is now moving toward a regime in which the very act of disclosing information on security vulnerabilities is criminal. Although cases of legitimate security consultants being prosecuted for informing users of security holes remain anecdotal,84 recent legislation appears to be based on the naïve belief that decreasing transparency and driving hackers into the criminal fringe will increase security. Cases under the Digital Millennium Copyright Act85 (DMCA), which criminalizes the development and distribution of tools for circumventing copyright protection, may indicate how the government and corporations will approach other securityrelated issues. The first person indicted under the DMCA’s anticircumvention provision was a Russian programmer named Dimitry Sklyarov, who had made available software that could circumvent copyright protection in Adobe eBooks.86 Sklyarov was arrested when he came to the United States to present his research on eBook security flaws at the DEF CON computer security conference.87 His software exploited the fact that several vendors selling eBook encryption software used “ludicrously weak” encryption methods.88 One vendor used a method called rot13 — replacement of each letter with the letter thirteen places down the alphabet — that is “often used as the canonical example of –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
partures only when the defendant has assisted in the investigation of another person who has committed an offense, U.S. SENTENCING GUIDELINES MANUAL § 5K1.1 (2005), or in the “exceptional case” of relevant circumstances not identified in the Guidelines, id. §§ 5K2.0(a)(2)(B), 5K2.0 cmt. 3(A)(ii). 83 Because part of the allure of hacking may be its illegal nature, however, legitimizing more behavior may push some hackers toward even more destructive activity. Therefore, to the extent hackers relish the criminal nature of their activity, it may be necessary to criminalize some beneficial hacking. At the same time, it seems intuitive that hackers do not desire punishment but simply the challenge of evading capture; therefore, enforcement efforts might be kept high even as punishment is lowered. 84 See, e.g., John Leyden, Ethical Hacker Faces War Driving Charges, REGISTER, July 26, 2002, http://www.theregister.co.uk/2002/07/26/ethical_hacker_faces_war_driving; see also Nat’l Ass’n of Criminal Def. Lawyers et al., Comments on the Cyber Security Enhancement Act of 2002, at 8–9 (2002), available at http://cyberlaw.stanford.edu/about/cases/1030%20Comments% 202-19-03.pdf. 85 17 U.S.C. § 1201(b)(1) (2000). 86 Press Release, U.S. Dep’t of Justice, First Indictment Under Digital Millennium Copyright Act Returned Against Russian National, Company, in San Jose, California (Aug. 28, 2001), http://www.cybercrime.gov/Sklyarovindictment.htm. 87 Elec. Frontier Found., US v. ElcomSoft & Sklyarov FAQ, http://www.eff.org/IP/DMCA/ US_v_Elcomsoft/us_v_elcomsoft_faq.html (last visited May 13, 2006). 88 Bruce Perens, Dimitry Sklyarov: Enemy or Friend?, ZDNET NEWS, Aug. 1, 2001, http://news.zdnet.com/2100-9595_22-530420.html.
�2006]
IMMUNIZING THE INTERNET
2461
weak encryption.”89 In effect, Sklyarov had demonstrated to users of eBook encryption software that their books were protected by an algorithm that the average elementary school student could crack. And those users probably would have preferred to know sooner rather than later that their documents were not secure. Sklyarov’s actions can hardly be considered detrimental to society — in fact, even Adobe, which had supported the indictment, later called for his release.90 Although Sklyarov was prosecuted not for simple disclosure of security holes but for trafficking in tools that exploit the holes, the distinction is blurry. When security holes such as the ones in the eBooks are so easy to exploit, simple disclosure of the holes guarantees that circumvention tools will be produced in a matter of minutes.91 Even complex flaws can be exploited quickly, as shown by zero-day exploits. Despite the fact that there does not appear to be a trend of similar cases prosecuted under the DMCA,92 even a single case can produce a chilling effect on security research. Finally, even assuming no such chilling effect exists, the slothful, disrespectful, or even hostile way in which some corporations handle reports of vulnerabilities can alienate the hacker community.93 C. Getting Users in Line Finally, an effective cybercrime policy must spread information and incentivize users to adopt stronger security precautions. As discussed above, devastating attacks can be launched using well-known security holes because of user negligence in patching systems. Securing these systems is difficult because their owners are often not significantly affected and are scattered around the world. Public awareness programs and possibly even civil sanctions, bolstered by international cooperation, should be used to shut down networks of hijacked computers and to prevent new ones from being created. –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Wikipedia, ROT13, http://en.wikipedia.org/wiki/ROT13 (last visited May 13, 2006). Press Release, Elec. Frontier Found. & Adobe Sys. Inc., Adobe, Electronic Frontier Foundation Call for Release of Russian Programmer (July 23, 2001), http://www.eff.org/IP/ DMCA/US_v_Elcomsoft/20010723_eff_adobe_sklyarov_pr.html. The United States later released Sklyarov in exchange for his testimony in the prosecution of his former employer. Press Release, U.S. Dep’t of Justice, Russian National Enters into Agreement with the United States on First Digital Millennium Copyright Act Case (Dec. 13, 2001), http://www.cybercrime.gov/sklyarov Agree.htm. 91 Cf. Thompson, supra note 23, at 30–31 (describing virus writers who publish their work on websites and allow others to modify and release them). 92 See U.S. Dep’t of Justice, Intellectual Property Cases, http://www.cybercrime.gov/ ipcases.htm (last visited May 13, 2006). 93 See, e.g., Robert Lemos, Oracle in War of Words with Security Researcher, REGISTER, Jan. 26, 2006, http://www.theregister.co.uk/2006/01/26/security_researcher_versus_oracle (describing Oracle’s criticism of a researcher’s disclosure of a vulnerability before a fix was available and noting that Oracle had previously taken more than 800 days to fix certain flaws).
89 90
�2462
HARVARD LAW REVIEW
[Vol. 119:2442
Government agencies have made small steps toward raising public awareness about computer security, but some of their attempts border on the comical. The FTC distributes security information through its website and has formed partnerships with other government agencies and the private sector; it also has a mascot named Dewie the e-Turtle to help “promote a culture of security.”94 The Department of Homeland Security promotes educational programs from the grade school through university levels and has a National Cyber Alert System to distribute information to computer users; its awareness programs include encouraging Americans to “review and improve their cyber readiness” during Daylight Savings Time.95 Something more threatening than a friendly e-Turtle, however, may be necessary to raise awareness and convince users to take responsibility for their own machines. Professor Michael Rustad argues that computer system operators could be held liable to third parties for permitting hackers to invade their systems.96 In the context of botnets, however, it would be administratively difficult to impose liability on thousands of home users. To avoid that problem, Professors Doug Lichtman and Eric Posner propose that Internet Service Providers (ISPs) should be held accountable when their subscribers originate or propagate malicious code.97 ISPs, they argue, are “in a good position to reduce the number and severity of bad acts online” and should be encouraged to do their part in responding to cyberattacks.98 The global nature of the Internet means that even if users in the United States start taking effective security measures, computers abroad could still be used in an attack on a U.S. target. Therefore, international cooperation is crucial to ensuring the integrity of the Internet. The Convention on Cybercrime99 (which the United States has signed but not ratified100) provides for international cooperation in prosecuting cybercrime but makes no provision for cooperation in securing networks.101 Informal cooperation can be used to spread public –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
94 Protecting Our Nation’s Cyber Space: Educational Awareness for the Cyber Citizen: Hearing Before the H. Subcomm. on Technology, Information Policy, Intergovernmental Relations and the Census, 108th Cong. 12–13 (2004) (statement of FTC Comm’r Orson Swindle). 95 Id. at 34, 38 (statement of Amit Yoran, Director, National Cyber Security Division, U.S. Department of Homeland Security). 96 Rustad, supra note 23, at 107–13. 97 See Doug Lichtman & Eric A. Posner, Holding Internet Service Providers Accountable, in THE LAW AND ECONOMICS OF CYBERSECURITY, supra note 30, at 221, 222. 98 Id. at 223–24. 99 Opened for signature Nov. 23, 2001, available at http://conventions.coe.int/Treaty/en/ Treaties/Html/185.htm. 100 See Council of Europe, Convention on Cybercrime, CETS No.: 185, http://conventions.coe. int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=4/8/2006&CL=ENG (last visited May 13, 2006). 101 See Convention on Cybercrime, supra note 99, arts. 23–35.
�2006]
IMMUNIZING THE INTERNET
2463
education programs transnationally; however, a formal agreement may be necessary to extend tort liability for users and ISPs across borders. IV. CONCLUSION The government will likely increase its cybercrime enforcement efforts. The results will fall between two extremes: a world in which law enforcement constantly lags behind cybercriminals, and a world in which the government’s enforcement operations are so ruthless that hackers are cowed into submission. This Note offers an approach that will prevent the United States from straying too close to either extreme. The goal should not be to eliminate cybercrime (a futile endeavor), nor should it be to let cybercrime run rampant, relying on users to protect themselves. The goal should be to secure the information infrastructure by working with industry and Internet users and by enlisting hackers on the side of greater security. Doing so requires some baseline level of cybercrime to keep prevention efforts active and alert. One might argue that the approach this Note describes places too much emphasis on regulation via code, when it should be merely part of a multipronged effort also involving law, markets, and social norms. Professor Lawrence Lessig asserts that “[t]he optimal protection for spaces in cyberspace is a mix between public law and private fences. The question to ask in determining the mix is which protection, on the margin, costs less.”102 This Note, however, does not argue that public law should be discarded in favor of private fences. Instead, it recognizes that the coercive effect of public law correlates inversely with the quality of private fences: the more the law deters noncatastrophic cybercrime or otherwise constrains the actions of hackers, the lower the quality of the fences built to keep them out. And that is when the attacker bent on catastrophe — and unlikely to be significantly affected by market forces or social norms — is bound to strike, with devastating effect. Cybercrime is different from other crime. It is potentially far more dangerous than most other crime, but that danger does not justify increasing punishment across the board. On the contrary, some types of cybercrime are beneficial, and those people operating on the fringe of legitimate hacking activity are an important resource in securing the information infrastructure against catastrophic attacks. Finally, prevention — strengthening the Internet’s immune system — is the most powerful defense available. Code takes precedence over law,103 not because it can, but because it must. –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
102 103
See LESSIG, supra note 4, at 123. See id. at 53.
�