August 26, 2014
Deputizing the Cyber Posse: The Next Frontier of Public-Private Partnership
Doug DePeppe is a cyber law attorney with Aspire IP Law Group.
“Virgil Earp was shot by concealed assassins last night. His wounds are fatal.
Telegraph me appointment with power to appoint deputies. Local authorities are
doing nothing. The lives of other citizens are threatened.”
-Letter of Wyatt Earp to U.S. Marshal, Tombstone, Arizona Territory, December
29, 1881
Facing a dire threat to the citizens of Tombstone by criminals, Wyatt Earp requested, and was granted, federal law enforcement authority and permitted to assemble a posse of gunmen to protect his family and to hunt for the men who had shot his brother. For $5 a day, these men were willing to place themselves in extreme danger to help Deputy
U.S. Marshal Wyatt Earp enforce the law.
One hundred and fifty years later, but acting in the same tradition as Wyatt Earp, government authorities in Mexico in May 2014 began to hand blue police uniforms and assault rifles to vigilantes in western Mexico, legalizing a citizen movement that formed last year to combat the violence of the drug cartels. Private citizens lined up at a cattle ranch to receive the uniforms of the newly created “rural state police force” in Tepalcatapec, one of the towns that founded the growing self-defense militias in the agricultural state of Michoacan, Mexico.
Since the time of Wyatt Earp, through the fighting of drug cartels in modern Mexico, there has been a recognized need in times of great societal imbalance or where specialized expertise is needed, for government to commission the support of the citizenry. In the cyber domain, this idea of turning to private enterprise to establish a cooperative environment to fight the collective risk of cyber attack has been called a “public-private partnership” or “PPP”. Indeed, the PPP reference in many law enforcement and homeland security contexts has become so widely accepted that it is almost becoming a tired concept. Yet, the notion of sanctioning an 1881 version of the PPP – a sanctioned posse that cooperates with law enforcement, and possessing the cyber equivalent of the deputizing authority that Wyatt Earp received – is a need that has come of age.
Calls for Better Integration
PPP is widely accepted as key to success in fighting cybercrime. According to Interpol, “It is essential that law enforcement collaborate across sectors with Internet security experts … towards forging a global alliance against cybercrime”. In announcing support for PPP cyber security initiatives last year, the White House observed, “Current public private partnerships in this space have at best unclear or ill-defined roles and responsibilities for … industry.” Support for the PPP model originates from recognition that the challenge of advanced cybercrime is unlikely to be resolved in the near future, and that law enforcement alone is not equipped to fully scale in response to a rapidly maturing threat landscape.
What is lacking in PPP definition, and the basis for Interpol’s call for greater PPP integration between the public and private sectors, comes down to a debate over security functions that many view as inherently governmental. It is a debate about the role of government and society in the face of collective risk. Yet, there was a related debate after 9/11 that challenged government’s approach to terrorism. That debate centered on whether law enforcement should focus on the prosecution or the prevention of terrorism. One resolution of that question led to support for information sharing, and the supporting structures – Information Sharing and Analysis Centers (ISAC) – which facilitate integration of the public and private sectors for increased awareness, preparedness, and responsiveness. ISACs established the lines of organization and operation that enabled government and industry to collaborate on operational matters.
Today’s cyber threats have created an imperative to fashion similar lines of organization and operation. Wyatt Earp’s proper conclusion about ‘threats to citizens’ in Tombstone should be observed once again in the context of cyber threats to society. The time has arrived to sanction the Cyber Posse with certain deputized authorities. Stewart Baker, former General Counsel at the National Security Agency, has been advocating this form of a public-private partnership for some time, making appropriate comparisons to private entities who engage in law-related enforcement functions, like car repo servicers and private investigators. He essentially envisions a licensing regime: “Government should set limits and provide oversight for a true public-private partnership, in which the private sector provides many of the resources and the public sector provides guidance and authorities.”
The Need for Change
Calling the Nation’s approach to fighting cybercrime a “failed approach,” in 2012 the FBI’s top cyber attorney, Steven Chabinsky, explained: “The FBI needs stronger partners in the private sector who can figure out who the bad guys are, and there needs to be much stronger relationships between the private sector, law enforcement and the courts to ensure that all the legal authorities that exist can be brought to bear against cyber attackers.” A simple dissection of the online criminal landscape lays bare why our approach to fighting cybercrime solely by law enforcement cannot succeed.
The summer of 2014 has witnessed an onslaught of point-of-sale (POS) attacks. There is a market for the stolen payment card information, and that is driving the sophistication of these attacks. The market where buyers and sellers appear is on the Darknet, where anything and everything is on sale, largely anonymous and insulated from law enforcement. Lately, the more profitable market is full identity theft, rather than payment cards. A full identity (known as a “fullz” on the Darknet) can be sold for $500 per record! Considering that a purchased fullz can be quickly turned into a fraudulent IRS Tax Return, leading to a return on investment of perhaps 500% or more within a couple weeks should underscore why a fullz commands such a high price.
The Darknet marketplace is very real, very scary, and very destabilizing. Does law enforcement care? Of course! That is why the Silk Road, a notorious store front on the Darknet, was taken down by law enforcement in 2013. However, other storefronts stepped in, just like one would expect in a healthy supply and demand market environment, even if it’s on the Black Market.
So you see, law enforcement alone is not equipped to outstrip the ingenuity and dynamic nature of a market force like the Darknet. Moreover, law enforcement has thresholds, and cases are not prosecuted where there is insufficient pecuniary loss or the severity of the crime doesn’t stir enough concern. Put simply, if your stolen identity were batched in a heist that failed to reach a threshold, don’t expect help from law enforcement.
Appreciating Market Forces
As a Nation, we do many things well, including balancing public and private interests. We support capitalism and embrace market forces. We curtail government advances onto private interests. And, we endeavor to lead the world in maintaining global stability. The cyber threat is our Nation’s number one security threat for good reason. It is a destabilizing force that is undermining America’s competitive advantages and our economic wealth. Indeed the risk is that trust in the Internet itself will be lost (foreign intelligence agencies are already looking to resort to typewriters again, to avoid cyber intrusions). Despite this clear challenge, government is entrenched in trying to solve a problem it cannot win. If respecting the power of market forces is ingrained in our capitalist DNA as a Nation, why do we persist in pursuing a failed approach that is rooted in a strategy favoring government prowess over the ingenuity of the Black Market?
Fortunately, the capability gap between profit-driven criminals and ill-equipped government investigators also creates opportunity. Cyber intelligence firms are selling services that fill this gap. Yet, what does not work particularly well is the integration of these cyber intelligence outfits and government. These firms represent ready-made, skilled, and well-intended resources that the Government could tap to help win the war on cybercrime. Instead, the PPP that exists today is a one-way information sharing pipeline – essentially a tip to law enforcement. That “tip” is often valuable intelligence that cost the cyber intelligence firm resources to develop. Moreover, because of the current PPP’s focus on prosecution, the relationship is not a partnership but rather a stiff arm: “Thank you very much, now stand back and stay out of the way.” For the private sector, it is frustrating that, after sharing the intelligence, the sharing firm has no assurance or influence that the intelligence will be acted upon in a productive way.
Remember the thresholds? Without a partnership, there is no incentive to produce costly intelligence and share it with government. Even the good citizen standpoint loses value without assurance that the data will be used in a productive way to combat cybercrime.
The ill-defined PPP model and the Interpol call toward greater integration effectively acting in a silo without support from the community it is seeking to protect. While this concept is widely accepted, however, what has not been developed is the framework within which this relationship can work most effectively. Instead, PPP is developing ad hoc and normally through informal relationships between private citizen cyber experts and law enforcement agents. This informal relationship building process, however, ignores that cyberspace is not Tombstone, Arizona. In cyberspace the criminals are usually not easily identifiable and care must be taken in how the response of law enforcement to cybercrime may affect the shared online ecosystem or comply with international standards.
Initiatives to combat advanced cybercrime activity benefit from the involvement of the private sector, but must be placed within a solid procedural framework that provides operational security and supports protection of international legal standards. Development of a successful operational framework requires skilled evaluation of needs, testing, and updating of procedural controls. It is critical that “PPP” actions aim clearly towards a sustainable response that is a true collaboration between private experts and law enforcement. A long-term thought leadership perspective is required, with investment in establishing functional and sustainable solutions. While arrests and successful prosecution may be the goal in the physical world, this may not be the correct standard for success in the cyber world. The private sector may offer advanced legal and technical solutions to “disrupt” transnational organized crime online that deters such activity more effectively than the arrest of a small number of hackers. The fast moving pace of technological developments requires the consideration of these specialized approaches when it comes to the effective prevention of cybercrime.
Commissioning the Cyber Posse
In order to ensure a sustainable and effective solution to advanced cybercrime, a solution that complies with international law and policy, a base structure exists in the ISACs that could be built upon. Operational and organizational lines could be fashioned within this existing framework. INFRAGARD could also be added to the ISAC framework to ensure a role for a law enforcement organization.
Within such a framework, licensing authorities from government to enable a Cyber Posse could be fashioned. To enable the scaling necessary to combat cybercrime, community group members of the DHS-affiliated Regional Consortium Coordinating Council (RC3) could serve a role in the regulatory regime that would be necessary to provide certification of private sector firms engaged in Cyber Posse activities. A framework must be established and maintained to draw limits on certain conduct, provide guidance for actions with and by private sector actors, and manage appropriate controls on cyber operations.
A regulatory framework for legitimizing the Cyber Posse would protect against a slide toward vigilantism. We need these mechanisms in the cyber world today. In the real world, bail bondsmen are authorized, usually by license, to seize fugitives and render them to the judicial system. What we structure in the brick and mortar domain to solve law enforcement challenges should likewise be structured in the cyber domain. In light of the out-of-control Darknet, White Hats operating in the frontiers of cyberspace, offering highly needed services, ought to have the appropriate license to help society fight cybercrime.
No comments:
Post a Comment