Cyber Conflict: The Modern Gold Rush

Gary Clayton and Kevin Coleman note the critical absence of rules of the engagement governing digital attack and defense

In the middle of the 1800s, a few prospectors found gold in California. When word got out, the lure of instant wealth spurred hundreds of thousands to rush to the West. Farmers, city slickers, people with no particular training or skills, all flocked to California to pan for gold. It was bound to happen in today's networked society. With the significant attention Capitol Hill, state legislatures and courtrooms are giving to digital security, it should have been expected that modern day prospectors would flock to the market claiming that they are cyber security experts. In one glaring example, an executive from one multi-billion dollar organization's publicly stated they were heavily involved in cyber security. The problem is that only one year earlier, the same executive denied that he or his organization was involved in cyber defense.

Brian, a Cyber Specialist with Spy-Ops, told us: "Amateur hour has begun and we should prepare for the fallout." One largely unanticipated fallout could be legal action against "amateurs" who rush into cyber security and forensics without knowing the rules of the game—or the legal risks they face. This has been apparent in a number of recent high-profile incidents where so-called security professional worked their way into U.S. and foreign computer systems while conducting their investigations. The investigators then publicly announced that computers belonging to other companies or governments were accessed and used without permission, all in the name of cyber security and fining evidence.

Can computer forensics investigators or others legally access computers they don't own and are not authorized to enter? Can computer files or other information be retrieved from the computers without the owner's authorization? Can you access into computers belonging to the United States government or the government of another country? In short: What are the rules of the road?

The courts, Congress, state legislatures and foreign governments have struggled with how to protect computers from unauthorized access. One of the first causes of action against unauthorized individuals arose by applying traditional physical trespass laws to computers and networks. In the United States and a number of other common law countries, the doctrine of trespass to chattels has recently been revived and applied by courts in the United States (US) to cover unauthorized access and intrusions (in the form of electronic signals) to computer systems connected to the Internet. This has had unexpected and far reaching consequences. Trespass to chattels, a doctrine developed to protect physical property, was first applied in cyberspace cases to combat spam, and hacking. (Editor's note: See Three Things the Litigator Says You Ought to Know.] The outcomes and reasoning in the most recent cases also illustrate the application of a property doctrine that analogizes telecommunications devices to land and construes electronic contact as trespass to physical property.

One opinion we reviewed actually stated an electron has weight (which it does) and, therefore, an electronic signal has weight and a physical presence (which is also the case.) It is this physical presence that forms the foundation for applying the laws of physical trespass apply to computers and networks. To make this even more significant is that laws of trespass are considered "common law." Common laws are in widespread use, in those nations which trace their legal heritage to England. These countries include the United States, Pakistan, India, Canada, Ireland, New Zealand, Australia and Hong Kong.

The legal issues get more complicated when there are criminal statutes designed to protect computers from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud. For example, 18 U.S.C. § 1030 protects computers in which there is a federal interest. Under this statute, you commit a crime if you intentionally, without authorization access any nonpublic computer of a department or agency of the United States. Computer trespass laws may also apply when a person uses a computer or computer network without authority and with the intent to: Make or cause to be made an unauthorized copy, in any form, including, but not limited to, any printed or electronic form of computer data, computer programs, or computer software residing in, communicated by, or produced by a computer or computer network.

One recent high profile incident illustrates the legal issues that can arise. An organization, while investigating an international act of cyber espionage, executed computer commands on a server or servers in a foreign country. During access, the organization appears to have collected information from a server that was owned and operated by a foreign entity and possibly by a foreign government. The access to the servers was without the permission of the foreign owner. What is interesting is that in their report on the investigation, the organization openly admitted what they had done. This organization may have unknowingly admitted to the commission of a crime in that foreign country. This can potentially lead to legal liability not only for the organization and its employees, but also for any client who paid the organization to obtain information from or about the foreign computers.

When an individual or entity accesses, hacks or breaks into a U.S. computer, we frequently call this a "cyber attack." Under both domestic and international law, the question arises as to whether such computer trespass constitutes an act of aggression or even war against the United States. Even if this is not an act of aggression, illegally obtaining computer files may constitute a crime and result in the inability to use such information in court or elsewhere.

The rules of engagement for cyber space are gray or non-existent. Military, governmental and legal authorities need to thoroughly review the rules of the road and provide guidance on these issues. Furthermore, a full cyber doctrine around acts of cyber aggression and cyber crime must be created now to reduce the possibly of accidentally triggering an international cyber conflict or criminal or legal dispute. This must be done with international cooperation and collaboration. One doctrine crafted by the United Nations and agreed upon by its members is the goal. The last thing we need is each country connected to the Internet crafting their own regulations and definitions with respect to cyber crime and cyber acts of aggression.

So what are the rules of the road? How do we keep the modern-day 49ers out of trouble? Now is the time to address such issues—before more incidents occur and a cyber conflict is triggered. ##

Gary Clayton is the founder of the Privacy Compliance Group. He is an attorney and former prosecutor with over a decade of experience working with companies and the U.S. government on data protection and privacy issues. Gary focuses on issues related to compliance with international data protection laws and regulations.

Kevin Coleman is a Senior Fellow with Technolytics. He is the former Chief Strategist of Netscape with nearly two decades of experience working in technology and security. Kevin focuses on issues related to cyber security, cyber warfare and technology data protection.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.