The 9/11 Commission is Massively, Completely and Catastrophically Wrong
Published on in Cyberlaw, Cybersecurity
Note from Steve (April 3, 2022): I’m leaving this up because it’s a thing I wrote once upon a time. In the intervening 7.5 years, some of my opinions have shifted. Some haven’t. And frankly I’m not sure about some of my textual interpretation here anymore. A post like this is best left to experts - not some 23-year-old.
I still think “hacking back” is a terrible idea, but we’ve managed not to have a cyberattack turn into a shooting war. Much the opposite – we’re now seeing that overt and offensive cyberattacks can sometimes be components of shooting wars.
On the other hand, I now come down on the opposite side on liability. At this point, it’s better companies can disclose attacks so they can be mitigated and consumers can react appropriately. We’ve also seen that in cases of actual/gross negligence, there is still liability. Also, market forces still incentivize protecting consumer information.
Anyway, the original post follows.
End note
Recently (July 22), the 9/11 commission published “Today’s Rising Terrorist Threat and the Danger to the United States: Reflections on the Tenth Anniversary of The 9/11 Commission Report” (executive summary), a ten-years-later reflection on how the world has changed since they issued their first report. There are a number of sections to the report, covering everything from counter-terrorism, public perception, and cyberspace. They give some pretty dire warnings and are scathing to the change already in place.
As a technologist, my primary interest is in cyberspace. I have read the report and come to a chilling conclusion: The 9/11 commission does not understand technology, international law or current American policy regarding international law. In the worst case, if followed, their recommendations could reasonably lead to a shooting war with China, Russia, North Korea or any other major power or “rogue” state. They could lead to complete alienation of the United States’ current allies. No matter what, these recommendations, if enacted, set an extremely bad precedent both in terms of law and policy. Their recommendations have the internet becoming a land of cowboys, without any sheriffs to keep them in hand. They turn the internet into a dystopia, á la Neal Stephenson’s Snow Crash.
I am discussing one paragraph, hidden on page 41 (labeled 39) in the PDF linked above:
“Congress should enact cybersecurity legislation to enable private companies to collaborate with the government in countering cyber threats. Companies should be able to share cyber threat information with the government without fear of liability. Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks.”
Let’s break this down sentence by sentence and see where it all goes wrong.
First, “Congress should enact cybersecurity legislation to enable private companies to collaborate with the government in countering cyber threats”. Collaboration is a good idea. More data points means better conclusions. But how do they intend to do this? Are they going to pass a law like the controversial FAA (FISA Amendment Act, HR6304), which granted telecoms (retroactive) immunity from lawsuits due to “providing assistance to an element of the intelligence community”, provided the intelligence agency it was for “determined [the assistance] to be lawful” (among other conditions, which can be summarized as “was authorized during the Bush presidency” and “is designed to protect against a terrorist attack”). This law essentially allows intelligence agencies (the NSA) to hoover up anything they desire and claim that it is for counter-terrorism.
The basic idea of this sentence is sound. However, given the current, pervasive, common, multi-agency and international abuses by intelligence organizations (even Fox News is in on this now!), giving them additional powers seems to be the wrong direction to go. We have records of senior officials from intelligence agencies and telecoms lying to and spying on their oversight committees. Plainly, they cannot be trusted to properly use any additional power granted. By extension, it is difficult to trust any part of the government requesting collaboration.
Further, this is a bad idea because the telecoms have no reason to care. They’ve already been shown that if they go along with the intelligence community’s wishes, they get granted immunity. If they fought, they’d spend millions to billions for no gain to the company - just to the customers. And speaking of customers, the intelligence community cannot get pushback from them, because the public is explicitly unaware of these programs. In fact, it took AT&T whistleblower Mark Klein’s revelations before the public had concrete evidence of just how far the intelligence agencies were going.
Finally, it is a bad idea because, as revealed by Thomas Drake, the intelligence community cannot effectively use what it has now. In fact, according to documents he leaked, the NSA knew about 9/11 before it happened (through a program codenamed ThinThread). More information is not the solution to being unable to find things in existing information - in fact, it just makes the problem worse.
In conclusion of discussion of this first sentence, the base idea is good, but it is difficult for citizens to trust the government with this power or to trust that the companies they interact with will look out for the citizens’ best interests.
The next sentence is “Companies should be able to share cyber threat information with the government without fear of liability”. Once again, the base idea of companies being able to share information may be good. But reduction of liability is not the way. I’m going to focus on this from the point of view of companies protecting customer data - something of a hot issue right now. While there are other ways companies could be in possession of information making them liable for damage if lost or shared, a data breach is the most common and most directly relevant to consumers.
Right now, the only reasons companies have to protect customers’ data are economic. They’re twofold: first, liability - companies have to pay when they lose the data of others - and second, trust - companies lose the trust of customers when data is lost, which leads to a monetary loss as fewer customers use the company’s services.
First, liability. This one is pretty straightforward: if a company loses control of customer data - is hacked, has an employee leak it, just fscks it up and leaves it exposed - they can end up paying a hefty fine. Maybe to some companies, $10 million is chump change, but to many these fines have teeth.
We’ve seen in the Target Breach that there is a financial cost associated with losing control of consumer data. (And while I may be picking on Target here, they’re far from alone). This is a significant deterrent to companies. They get tons of bad press and they lose money. This has repercussions up the management chain. There is also the risk of class-action lawsuit. We’ve seen that this can cost. In short, those with the power to make decisions at companies have a significant incentive to have proper data security procedures.
Second, trust. While most companies can be hurt by a loss of consumer confidence, there is a large group of those who can’t. I’m speaking of companies with which customers do not have the ability to choose alternatives. Companies such as those which aggregate or analyze data, medical companies and credit reporting bureaus. Because consumers do not get a choice, they cannot be hurt by a loss of customer confidence and thus have only the liability from fines and lawsuits to motivate them to properly guard the customer data.
So going back to the original sentence - the commission is proposing to remove liability. What exactly they mean by this statement is unclear. They could be proposing either removing the FTC’s ability to levy fines or be granting companies immunity to lawsuit if they properly disclose data breaches - or both. If the ability to fine companies is removed, only the second motivation remains - loss of consumer confidence and class-action lawsuit.If companies are granted immunity if they properly disclose data beaches, then they have to worry about fines and customers taking their business elsewhere. Either of these cases would significantly de-incentivize companies to keep consumer data safe.
And then there is the worst case - the FTC is stripped of its ability to impose fines AND companies are granted immunity from suit if they disclose data breaches properly. This leaves companies suffering no consequence except a loss in consumer confidence if a data breach should occur. In short no matter what the commission intends with this sentence, companies will have significantly less motivation to correctly safeguard their customers’ private data, leading to an increase in data breaches - it simply won’t be a priority anymore.
Let’s move on to the final and, frankly, absolutely most terrifying sentence: “Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks”. Be warned, this section is going to get technical, to give a high-level overview of some important parts of the internet, as well as common malware and hacking strategies. We’ll also cover some point of United States policy on international law. While these seem disparate now, they draw together into a final, terrifying conclusion - if this recommendation is followed it could lead to a shooting war.
First, we need to understand what the commission means when they say “direct action”. They don’t mean “legal action”. They mean striking back, using every resource available to take out the enemy. This is actually an idea I discussed at length with a lawyer friend of mine about half a year ago. He wanted to understand why it wasn’t a common practice to automatically strike back at the source of any attack on a computer system. I gave him three primary reasons:
- Legality - Launching an attack on a computer system is a crime. In fact, the laws on this are so broadly written they have been used to do everything from target whistleblowers to making it a crime to alter URLs.
- Wastes resources - much more of the internet traffic will be attacks and counterattacks
- Targeting - Any attack will have an obscured source. If you strike at where the attack is coming from, you’ll almost certainly be attacking someone innocent of the attack
In order to better understand these reasons, it is best if we understand the kinds of attacks that could be used. In general, any kind of computer attack is a possibility. They generally fall into the category of a DoS - Denial of Service. In this kind of attack, the attacker takes some action - typically either exploiting a bug which causes a computer to crash or, more typically these days, by sending the target so much traffic it cannot cope (often these are Distributed Denial of Service attacks, like the one linked. This is a passable discussion of types). In either case the goal is to knock the other computer off the internet, at least for a little bit.
Let’s look at legality. For the purposes of this discussion, we’ll assume that current laws, such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act stand. CFAA makes it illegal to “knowingly cause the transmission of a program, information, code, or command [which] … intentionally causes damage without authorization, to a protected computer”. Seems pretty clear - cause damage (a term loosely defined), violate the act. It is also worth looking at how a ‘protected computer’ is defined. The first definition basically says one the government owns or uses. The second is any computer which “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States”. It is almost impossible to use the internet without data crossing state lines - thus becoming interstate commerce. In summary, any computer connected to the internet is a protected computer. Further, it is simple to argue that a computer attack is causing damage. Lets look at the two examples above: If a computer is caused to crash, it is lost work and productivity. If service and internet connection is denied via a DDoS, some one is being deprived of the service they pay for (yes, even if they were not going to use it).So it clearly follows that, under current law, any sort of “direct action” is criminal.
Next, wasting resources. Allowing private entities to strike back at the alleged sources of attack would waste resources which are common to all users of the internet and, in the strictest legal sense, are owned by other entities. The primary resource I’m concerned about is bandwidth. While it is very much the exception, the 2013 attack on spamhaus reportedly slowed the entire internet. Every attack is obviously not going to be this large, it is easy to imagine that a large number of small-bandwidth attacks occurring could have a similar effect, especially if they cross national or continental boundaries (where there is typically less bandwidth).
Finally, targeting. Targeting direct actions seems pretty simple, right? Wherever the traffic is coming from is who you target. Unfortunately, no.
In order to understand why not, we need to understand how data gets where it is going on the internet. Data on the internet is transmitted as packets. Sometimes the data (like an instant message) might be small enough to fit in one packet. Other times, like with streaming video, it takes many, many packets. But simply throwing a blob of data onto the internet isn’t useful - it has to know where it is going. In order to direct packets, every computer has something called an IP (Internet Protocol) address. This is sort of like your street address - a globally unique identifier for a particular location. In the vast majority of cases, packets have both source and destination addresses on them. Again, think of it like mailing a letter - the destination address tells the post office where the letter is going, while the source (return) address tells the recipient where to address a letter to reach the sender.
However, much as I can write 1600 Pennsylvania Ave. as my return address, so can I put any address on a packet for the source. There are various technological means and methods which prevent this from working in many cases. However, there are an equal number of situations where it can - and must - work. Clearly, under certain conditions, merely striking back at the source of the attack is going to harm innocents who have been framed.
Striking back in the remaining conditions isn’t a good idea either. Why? Because cyberattackers have an excellent motivation not to get caught. They never attack from a computer they own/operate, at least directly or traceably. This means that attacks often come from botnets - machines infected with malware that has them performing operations their owners/operators do not approve of. By knocking these machines offline or otherwise attacking them, someone who is not deliberately or maliciously involved in the attack is getting harmed not once, but twice. First by the malware which is causing their computer to act without their permission and second by the American private entity which is now attempting to knock them offline.
Botnet operators may own and operate command and control servers - those machines which give commands to malware-infected computers. There is an argument that the 9/11 commission is suggesting giving entities permission to attack these. This act is of questionable legality under international law. But that doesn’t matter - it will be ineffective. Malware authors put significant effort into making sure that they can recover from a total loss of command and control servers. Any entity trying to knock these out would be playing whack-a-mole - one goes down and another one replaces it. We have seen in the past that even the combination of the FBI, multinational banks and Microsoft cannot successfully take down a botnet’s command and control infrastructure. Giving every little private entity the ability to take potshots at any machine they think may be attacking them - without legal due process - isn’t going to be more successful in damaging the sources of the attacks.
To wrap this point up: it is nearly impossible to target the actual attacking party in a cyberattack. Any attempt to do so will have massive unintended casualties and, in many cases, will entirely fail to affect the actual originating party.
Finally, to wrap up why this is a terrible idea: the United States considers cyberattacks to be violent acts which allow equivalent retaliation under international law. Additionally, this includes using real-world armaments to perform retaliatory attacks - so long as the damage is equivalent, it is ’legal’. Taken with the above, allowing private entities to use retaliatory cyberattacks is essentially arming them and turning them loose on foreign nationals. In fact, it seems likely that due to the imprecision of targeting, a “false flag” attack could be used to trigger a war between two countries - neither of which originated the attack.
In conclusion, following the 9/11 commission’s recommendations on cyberattacks could quickly embroil the US in an international shooting war.
As a postscript, I must note that in many cases I’ve taken the worst-case scenario. I would hope that world leaders would have more sense than to get into a war over cyberattacks, short of them causing loss of life and being directly claimed by another nation. I also hope the leaders in the US have the sense not to allow private entities to perform cyberattacks quasi-legally.