116 Pages Posted: 10 Apr 2011 Last revised: 18 Jan 2016
Date Written: April 7, 2011
Cyberwar has become a reality. The question is no longer “if” the United States will experience a major cyberattack aimed at disrupting critical infrastructure, but “when.” In July of 2010, Iranian uranium enrichment activities were severely hindered by the Stuxnet worm, which used a number of zero-day exploits and damaged the Iranian nuclear infrastructure. In early 2011, documents leaked from the files of a computer security company provide evidence that there are “cyber contractors” in the United States that provide subscriptions to lists of exploitable vulnerabilities in popular software. Additionally, there exists the threat of Distributed Denial of Service (DDoS) attacks that could be used to knock a system’s defenses off-line and render the system more vulnerable to further attacks.
In the United States, highly visible corporations and privately owned critical infrastructure are both likely targets for debilitating cyber-attacks, and there is an urgent need to ensure that these groups are protected. Currently, there is no consistently effective domestic or international criminal law regime to deter these sorts of attacks, and resorting to civil litigation is likely to prove impractical. A major barrier to punishing cyber-attackers is the difficulty of identifying individual attackers. Passive defense methods, like firewalls, software patches, and antivirus software, do not require potential attackers to be identified to be effective. However, passive defense methods are not used consistently enough to have a perfect deterrent effect, and are all but useless against attacks utilizing zero-day exploits. For these reasons, we strongly urge a regulatory regime that would govern the use of active defense technologies, especially technologies that would enable mitigative counterstriking.
Active defense, however, has been a controversial subject, and it is this controversy that we seek to engage in. The reason that commentary about active defense has been so tentative and inconclusive up to this point is that active defense is intuitively bothersome and seen as amounting to vigilantism that carries significant danger of collateral damage. We assert that researchers have been analyzing this topic incorrectly as a unitary whole, instead of by looking at the different aspects of active defense (detecting, tracing, and counterstriking) and the two possible characterizations of counterstrikes (mitigative and retributive). A mitigative counterstrike would involve actions taken in self-defense in order to interrupt an attack in progress and mitigate immediate harm to a target system. Self-defense in cyberspace is a necessity, especially to protect critical infrastructure. Our analysis concludes that cyber counterstriking is readily justifiable under a self-defense framework, provided principles of mitigation are observed. Mitigative counterstriking is also legally justifiable under several areas of domestic and international law, and can be made consistent with other areas of law by amending the law or by reinterpreting it.
After evaluating the technologies, the potential types of attacks, and the legal context, we conclude that mitigative counterstriking would be the most effective when used in response to DDoS attacks originating from botnets. Such a counterstrike would interrupt the attack and mitigate harm to the victim system, while also preserving the victim system’s defenses against additional attacks. Harming non-attackers through counterstrikes is also a potential concern, but we observe that the technological capabilities to engage in self-defense are advancing rapidly and provide the capability to avoid unnecessary harm to third parties. We urge that the government should regulate active defense and oversee mitigative counterstriking, perhaps as part of a public-private partnership to take advantage of the core competencies of both the public and private sectors on this topic. Our recommended regime to permit mitigative counterstrikes as self-defense would also include liability rules to protect third parties in the event that a counterstrike causes harm to a party other than the initial attacker.
In short, the current situation with cyber-attacks is ominous, and more effective methods must be provided to potential victims to permit them to protect themselves. The time to act is now, and we must legally solidify the right to use self-defense in cyberspace, while also protecting the rights of potential uninvolved third parties who might be harmed by mitigative counterstrikes.
Keywords: cyberwar, cyberattack, Distributed Denial of Service (DDoS), active defense, counterstriking, cyberspace
Suggested Citation: Suggested Citation
Kesan, Jay P. and Hayes, Carol Mullins, Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace (April 7, 2011). 25 Harvard Journal of Law and Technology 429 (2012); Illinois Program in Law, Behavior and Social Science Paper No. LBSS11-18; Illinois Public Law Research Paper No. 10-35. Available at SSRN: https://ssrn.com/abstract=1805163