As an earlier article here noted, the recent report from the Commission on the Theft of American Intellectual Property shows a great deal of concern about the “scale of international theft of American intellectual property” which it estimates to be “hundreds of billions of dollars per year.”

However, there’s also been a certain amount of consternation at some of the other content of the report. While I don’t get the impression that Cory Doctorow (for BoingBoing) was actually expecting too much from this report, I don’t know if he expected it to advocate the legal sanctioning and use of something very like ransomware against pirates and intellectual property infringers. In fact, I’d say it’s a slight exaggeration to say that the document ‘[demands] that Congress legalize an extortion tool invented by criminals’. But it does suggest that valuable data could be protected by software that takes ‘a range of actions’ against people who try to access it without authorization.

For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account.

Well, that does sound a lot like ransomware, or at least like the model of fake law enforcement that ransomware is often associated with. In fact, it sounds even more like the AIDS Trojan, which purported to ‘protect’ PC Cyborg’s intellectual property by encrypting the hard disk and demanding payment for the decryption key. The AIDS Trojan was actually mailed out as a review/sample copy of a medical information database to the sort of institution that it would interest. However, the sting in this particular tale is buried in the licence agreement:

"In case of breach of license, PC Cyborg Corporation reserves the right to use program mechanisms to ensure termination of the use of these programs. These program mechanisms will adversely affect other programs on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement.*

*Warning: do not use these programs unless you are prepared to pay for them."

Let’s be clear: the Commission isn’t proposing this model (low-grade data used as a lure to enable extortion) as a template for ‘threat-based deterrence systems’ – at least, I hope it isn’t – and it is aware that the ‘actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network’ is ‘not currently permitted under U.S. law’. And, I have to say, in a great many other jurisdictions: for example the UK’s Computer Misuse Act very specifically addresses unauthorized access and unauthorized modification, and similar legislation can be found in many other parts of Europe and the rest of the world.

In fact, it's probably nearer to the idea of the 'good virus': not exactly policeware, but something to keep the blackhats' wheels spinning till the cops arrive. Except that the squad cars travel a lot more slowly when they have to cross international borders and even circle the globe.

While we’re accustomed to the idea that The Good Guys are somewhat disadvantaged in the ongoing struggle with The Bad Guys in that they are constrained by the need to act legally and ethically, few people are outraged when a criminal investigation involves covert surveillance, analysis and further manipulation of a system controlled by criminals (except the criminals of course) as long as they’re in accordance with the laws that regulate law enforcement and criminal investigation. What is being proposed here, though, is that the powers that can be extended to law-enforcement agencies – though in many cases only with judicial authorization, as with a wiretapping warrant – should also be available to companies under the guise of ‘active network defence’. The activities that the Commission suggests companies might engage in include:

  • Retrieving, modifying or destroying stolen information ‘within the intruder’s networks, or even destroying the information within an unauthorized network’.
  • Using the attacker’s system’s camera to get a photo.
  • Uploading malware to the attacker’s network
  • Disabling or trashing the attacker’s system(s). 

The report suggests that ‘bias’ against ‘offensive cyber’ in current legal frameworks is influenced by the risk of collateral damage to innocent parties – I guess this would cover legitimate systems compromised and misused by an attacker, and false positives (action taken inappropriately because of misdiagnosis) – and the complexities introduced by attacks that cross national borders, and therefore doesn’t recommend specific legal changes. Clearly, though, the Commission believes that laws and policing aren’t keeping up with the nature of hacking. This is undeniable, though you might wonder whether it’s really the task of lawmakers to try to address every specific attack type and technology. Isn’t it often more practical to tweak existing law where necessary so that it’s clearer how longstanding principles apply to new contexts?

I appreciate the frustration that comes from the bad guys having all the freedom of action while law enforcement and victims are hampered by legal and ethical restraints, but that’s what makes the difference between us and them. The cost/benefit ratio of defensive measures doesn’t automatically outweigh the rights of non-corporate individuals – not just criminals, but innocent third parties.

The group calls for discussion on “whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties…” Giving corporates similar legal powers to law enforcement (and there’s no discussion here of how applying those powers might be regulated) is pretty close to vigilantism. When law enforcement agencies act against cybercriminals, they are often acting in concert with the security community. More often than not, that combined training and expertise is to the benefit of innocent third parties. If it becomes the norm for similar action to be carried out by corporations with a direct financial stake in the IP under threat and no particular specialism in security, there will inevitably be concerns as to whether that aim of 'without doing undue harm' will be achieved consistently.

David Harley
ESET Senior Research Fellow