Ghost in the network.

AuthorBambauer, Derek E.
PositionAbstract through II. The Easy Case for Cybersecurity Regulation, p. 1011-1050

Cyberattacks are inevitable and widespread. Existing scholarship on cyberespionage and cyberwar is undermined by its futile obsession with preventing attacks. This Article draws on research in normal accident theory and complex system design to argue that successful attacks are unavoidable. Cybersecurity must focus on mitigating breaches rather than preventing them. First, this Article analyzes cybersecurity's market failures and information asymmetries. It argues that these economic and structural factors necessitate greater regulation, particularly given the abject failures of alternative approaches. Second, this Article divides cyberthreats into two categories: known and unknown. To reduce the impact of known threats with identified fixes, the federal government should combine funding and legal mandates to push firms to redesign their computer systems. Redesign should follow two principles: disaggregation--dispersing data across many locations--and heterogeneity--running those disaggregated components on variegated software and hardware. For unknown threats--"zero-day attacks"--regulation should seek to increase the government's access to markets for these exploits. Regulation cannot exorcise the ghost in the network, but it can contain the damage it causes.

Maelcum produced a white lump of foam slightly smaller than Case's head, fished a pearl-handled switchblade on a green nylon lanyard out of the hip pocket of his tattered shorts, and carefully slit the plastic. He extracted a rectangular object and passed it to Case. "Thas part some gun, mon?"

"No," said Case, turning it over, "but it's a weapon. It's virus."

William Gibson

Neuromancer (1984)

Introduction I. King Canute's Cybersecurity A. It's Complicated B. Exposure C. Plan for the Crash II. The Easy Case for Cybersecurity Regulation A. A Series of Porous Tubes B. Root Causes 1. Externalities 2. Information Asymmetries 3. Public Choice Problems 4. Technological Timidity C. Failed Patches 1. Fighting Code with Code 2. Educating the Targets 3. Markets D. The Need for Law III. The Known Unknowns A. Resilience B. Disaggregation: Divide and Conquer C. Heterogeneity: The Benefits of Diversity D. Driving "Divide and Differ" E. Carrot: Bribe F. Stick: Regulation 1. Defining the Regulated 2. Sticky Defaults 3. Due Dates 4. Another Bribe 5. Bespoke Regulation G. Objections IV. The Unknown Unknowns A. The Threat B. Partial Defenses CONCLUSION INTRODUCTION

Begin with a tale of two specters.

The first invaded the computer systems of the Dalai Lama in Dharamsala, India, sometime in 2008. (1) As the leader of Tibet's government in exile, the Dalai Lama has long attracted the interest and suspicion of the People's Republic of China. (2) The Dalai Lama and the government in exile depend heavily on Internet communications technologies--a dependence exploited by their adversaries. (3)

The initial hint of trouble came from diplomacy. The Dalai Lama's staff contacted a diplomatic official by email to arrange a meeting. (4) Before they could arrange a telephone conversation, the diplomat received a warning from the Chinese government not to undertake the meeting. (5) Fearing that its systems had been compromised, the government in exile turned to the OpenNet Initiative (ONI), an academic research consortium that studies Internet censorship. (6) ONI dispatched two affiliated security researchers to analyze the Dalai Lama's computer systems. (7)

What they found was GhostNet: a sophisticated software program capable of covertly capturing keystrokes, copying files, and even activating cameras and microphones attached to infected computers. (8) GhostNet was a near-perfect spy: powerful, flexible, and almost invisible. It had infected computers used by the Dalai Lama, the government in exile, diplomatic offices in the United States and Europe, and a Tibetan activist organization. (9) ONI researchers watched GhostNet steal secret information from computers in the Dalai Lama's personal office, including a document outlining negotiating positions in discussions with the Chinese government. (10) They determined through their investigation that computers located in three different Chinese provinces (and one server rented from a U.S. Internet service provider (ISP)) controlled GhostNet. (11)

The specter was widespread: researchers found that GhostNet had infected nearly 1300 computers in more than too countries, including computers in the foreign affairs ministries of Iran and Indonesia; embassies of India, South Korea, and Taiwan; intergovernmental organizations; news organizations; and Tibetan exile groups. (12) Determining attribution--learning who operated GhostNet--was not possible from the data ONI could obtain. (13) The likely answer, though, is that China's security services introduced the ghost into the network. (14)

The second specter infiltrated the computers controlling Iran's nuclear enrichment program, likely in 2007. (15) Stuxnet, a joint project of the United States and Israel, is the most advanced cyberweapon built to date. (16) It performed two clever tasks: it sped up the centrifuges that enrich uranium, damaging some irreparably, and it concealed the acceleration from the engineers monitoring the system. (17) Stuxnet recorded data from normal centrifuge operations and, while sabotaging the centrifuges, replayed the normal data to the engineers, falsely reassuring them. (18) One piece of sophisticated malware succeeded where diplomacy and threats of military force failed--it set back Iran's attempts to craft a nuclear weapon by at least a year, and likely longer. (19)

Stuxnet both spied on and changed data, and did so invisibly for years. (20) Iran could not determine the cause of the centrifuge failures. (21) The country's nuclear engineers tried helplessly to solve the problem, even shutting down whole complexes of centrifuges at the first sign of trouble. (22) Stuxnet not only damaged Iran's physical infrastructure, it sapped the confidence of its nuclear experts. It crossed the Mair gap that separated Irans nuclear computer network from the public Internet, breaching a precaution widely viewed as impenetrable. (23) Stuxnet is the first computer-based attack to cause physical damage; its deployment marks the opening salvo of a new era of cyberwar. (24)

GhostNet was a thief; it stole information from Tibet's exiled government to benefit its masters--probably China's government. Stuxnet was a vandal; it fed false data to Iranian nuclear engineers while it slowly destroyed their equipment. In combination, these ghosts demonstrate cybersecurity's most profound legal and technical challenge--to craft a system that keeps uninvited users from accessing or altering data. This Article proposes an approach to address that challenge. Cybersecurity cannot prevent the ghost in the network; instead, it should seek to cabin its depredations. Mitigation--not prevention--is the key. This Article employs the insights from studies of complex system design, such as normal accident theory, to propose a mixture of legal and technical strategies to deal with both known vulnerabilities and unknown, "zero-day attack[s]." (25)

This proposal builds on my prior work that established a theoretical, information-based approach to cybersecurity. (26) In brief, this methodology approaches cybersecurity as comprising three issues: access, alteration, and integrity of data. (27) Access involves whether a user may reach a given datum. (28) Alteration describes whether she may change it. (29) Integrity asks whether one may determine whether a given piece of information reflects the latest authorized changes. (30) Access and alteration have both positive and negative aspects. (31) The positive range, which I explored in earlier work, considers how authorized users may obtain and update information. (32) This Article explores the negative range of access and alteration: How can regulation reduce attackers' ability to access and alter information stored in networked computer systems?

It leads a new wave of scholarship on cybersecurity that breaks free from extant, poorly fitting models such as criminal law, international law, and the law of armed conflict. (33) This second wave of research develops new models for the unique challenges of information security in a computer environment of ubiquitous connectivity and minimal attribution. (34) Scholars have explored ways that the President, states, and administrative agencies can combat cyberattacks, using models ranging from public health to environmental law. (35) Most important, there is a nascent realization that since it is impossible to completely solve cybersecurity problems, "[w]e must learn to live with the disease." (36) However, this insightful literature identifies a variety of new approaches without offering concrete proposals to augment cybersecurity. This Article fills that gap.

I use an information-based methodology to make a counterintuitive set of arguments about how law can concretely address cybersecurity. My approach begins with the core normative claim that cybersecurity is underregulated. For the past fifteen years, the principal methods of addressing cybersecurity problems have concentrated on voluntary measures through self-regulation (37) and on process-based methodologies to tailor precautions to each organization's requirements. (38) These approaches disdain regulatory mandates. Not coincidentally, all have failed to improve security. Legal regulation has far more potential to remedy cybersecurity weaknesses than scholars or legislators appreciate. Legal mandates are likely to be costly in places, and to generate substantial political opposition, but they are both possible and desirable.

Next, this Article argues that there are two core problems related to unauthorized access to and alteration of data: attacks with available countermeasures and zero-day attacks without extant defenses (or at least defenses...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT