Active Defense: Can You Legally Go Beyond Your Network to Defend Yourself?

David Willson

Thu, 17th January 2013

Speaker Bio 1:
We were very lucky to have a true veteran in every sense of the word: David Willson. His presentation: "Active Defense: Can You Legally Go Beyond Your Network to Defend Yourself?" was a content-rich and interesting insight into the current state of play with regards to active defense. So, what do we mean by "active defense?" The best definition we could find comes from a piece by the Washington Post:

"The Defense Department has defined active defense as a "synchronized, real time capability to discover, detect, analyze and mitigate threats and capabilities."

Washington Post: When is a cyberattack a matter of defense? February 2012
David is a leading authority in cyber security and the law. As a licensed attorney in CT, NY and CO he also manages and owns the Titan Info Security Group which is a Risk Management and Cyber Security law firm. His firm has an acute interest in technology and the law and he assists companies lower their risk to cyber-threats and reduces or eliminates their liabilities associated with loss or theft of information. David is also experienced with helping organizations manage difficult legal/ cyber-security issues. As a retired US Army JAG officer David provided legal advice in computer network operations, information security and international law to organizations such as the Department of Defense, National Security Agency and what is now known as CYBERCOM: - the formal command name being "U.S. Cyber Command (USCYBERCOM or CYBERCOM)." USCYBERCOM centralizes command of cyberspace operations and according to wikipedia: "organizes existing cyber resources and synchronizes defense of U.S. military networks."

David has spoken at many security conferences around the world and has published dozens of articles, such as, "Hacking Back In Self-Defense: Is It Legal; Should It Be?", and recently, "Cyber War or Cyber Cold War?

It is really great for us to have had David on the show because he compliments our other cyber security shows. Last year we had Dr Thomas Holt from Michigan State present: "Identifying Cyber Warriors" and G. Mark Hardy Hacking As An Act Of War."

Questions and answers

Max, Concise Courses:
That was terrific, a lot of really good content there. I’ve got two questions here. First one is, “How does the increasingly lucrative market for offensive malware affect the active defense movement?”

David Willson:
I haven’t seen a lot of but a friend sent me link about a company in Italy that has a tool called RCS which – once they put it on your network system they can bypass all your encryption. They sell it to law enforcement because they need a warrant to put it on your system – so it’s sort of wiretapping. The consensus was that it was malware and that it was sort of a shady deal; but that’s just the article that I read, I don’t have any opinion whether it is legitimate or not. If there are tools that you can use then you need to incorporate them, but again when you get to the legal issues you have to be very careful as to what you are doing and the various court jurisdictions that [you are dealing with].

I’m going to throw this out there and I know that a lot of people disagree with me, but the guy who was recently convicted for hacking the ATT network [Andrew Auernheimer] I don’t agree that it was unauthorized access to the network. His intentions were bad, he made a lot of noise about it which was stupid, but when you look at the definition of gaining unauthorized access I don’t agree that that’s what happened, but he was convicted by a jury and we’ll see what happens on appeal. So, you got to be careful about which jurisdiction you are dealing with, where you are, so the more information and intel you can collect the better off you are.

Max, Concise Courses:
The last question follows on from that, [your last answer] when it comes to an active defense strategy, what are the international legal issues that companies need to consider, can you highlight a couple?

David Willson:
With regard to active defense?

Max, Concise Courses:
Yes sir!

David Willson:
Like I said earlier, when you get into the European Union, your dealing with privacy [interesting to see Siobhan MacDermott’s, Chief Policy Officer of AVG Technologies, (previous Hacker Hotshot speaker) comments, also referring to the sterner privacy laws in the EU] so most of the laws there are focused on that aspect of it [privacy] so your shift goes from gaining unauthorized access to “whose data am I looking at and for what reason?” Not all countries have the self-defense theory in the law, so you have to consider that as well.

I can tell you that I did a lecture on international cyberspace and Bernard Opal was on the panel from Interpol. His frustration was that as they begin to investigate they get to network or infrastructure of a country, they ask for help and the country says no, the investigation ends there and they can’t go any further. That was the genesis behind that theory on international cyberspace. There are lot more tricky issues. I believe that in the Philippines they came out with a law [Cybercrime Prevention Act of 2012] that is now being attacked vigorously because it is so over-aching and it covers so many different things that people do on the Internet.

The law has a really tough time, because it moves so slow and technology moves so fast that there are so many variables, you can’t put a law together that encompasses everything. It’s going to be a long process and internationally, as I mentioned, it depends on the justification which countries, what their laws are; some countries have no laws so you don’t have to worry about it, but hopefully that answers that question?

Max, Concise Courses:
Sounds good. I’m sure there is going to be a lot of follow-up with you. We want to wish you continued success with this initiative and hopefully we can get you back on in the next couple of months to provide us with an update and I want to thank you very much for taking the time out to speak to us.

David Willson:
Sure, I’d love to be on again.