CLC#004: And Reprisal
Cyber Lunarium Commission #004:
The Cyber Lunarium Commission was established to propose novel approaches to United States cyber strategy grounded in technical and operational realities. The commissioners of the CLC “moonlight” in cyber policy, drawing upon their experiences in government, military, industry, and academia.
This fourth and final post in the Cyber Lunarium’s cyber letter of marque (CLoM) series explores some of the most controversial ideas thus far. Building upon prior discussion of the CLoM concept in CLC#001, the application of CLoMs to counter-ISIL cyber operations in CLC#002, and the CLoM-based IoT access-as-a-service ideas in CLC#003, in this post the Cyber Lunarium explores reprisal operations. These concepts may be seen as norms violating, escalatory, and otherwise controversial - they are offered to spark discussion and consideration. These three concepts hinge around the second part of the phrase “letters of marque and reprisal.” In these concepts, cyber letters of marque and reprisal (here “CLoMR”) are employed in retaliatory, deterrent, and/or profit-seeking contexts.
Congressional authorization and oversight would still be required for these operations, but ultimately, they would generally involve external funding, either from third-parties hiring CLoMR holders in hackback scenarios, or the spoils of operations themselves.
As touched on in CLC#001, CLoMRs could be used to legally authorize controversial “hackback” activity - currently a “legal gray area” activity. In these operations, governments could permit offensive cyber teams operating under CLoMR authorities to aggressively pursue adversary operators, as contracted by private companies.
Hacking back has been a hot button topic within the realm of cyber policy for at least a decade. While the concept has been seen as taboo by practitioners and policymakers alike, the Cyber Lunarium Commission argues that not having a discussion around hackback does more harm than good.
Demand exists for hackback services in the corporate world - and complimentary to this demand, there are actors able to provide these services. With a policy discourse focused more on the problems of hackback than its potential benefits, and the law tacitly unenforced, actors may continue to offer their services quietly and without government deconfliction. Further shifts in political winds against hackback may simply drive these actors to move out of jurisdictional reach rather than to close up shop (as seen in the private military contracting space). As an alternative to this state of affairs, the US government could embrace (and subsequently perhaps extend and extinguish as appropriate) hackback operations through the CLoMR mechanism.
The Cyber Lunarium Commission proposes a relatively simple solution that could act as an additional lever in deterring cyber crime or attack - when a known entity has conducted attributed attacks that violate US law and threaten US national security, the US Department of Justice could create a “US Reprisals Lists” similar to the OFAC’s Sanctions Lists. Entities on the US Reprisals Lists, similar to entities on the US Sanctions Lists, would be organizations that are threats to US national security interests, or have violated both US and international law. Any entity on the US Reprisals Lists could be targeted by Congressionally-authorized CLoMR groups.
Rather than creating blanket authorization for hackback activity to occur (e.g., through CFAA reform), gating this authorization with Congressionally-issued CLoMRs and the DoJ-administered US Reprisals List would ensure greater oversight of these activities, including the ability to revoke CLoMRs at any time; to compel operators to deconflict with the US intelligence community, law enforcement, and military cyber operations groups; and to limit the theatres in which hackback operators engage. DoJ could also remove entities from the US Reprisals List at will, based on Congressional or Executive Branch recommendations. Opening up a legal space for hackback would need to be accompanied by strong law enforcement action (e.g., under the CFAA) against those operating without authorization, or CLoMR holders operating outside of the scope of their license.
In hackback scenarios, CLoMR holders could be compensated for their operations through government-funded contracts, or even by companies directly employing them, as long as the company has a) reasonable suspicion that an attack conducted against their systems and data has been attributed to a specific organization, and b) the target has been placed on the US Reprisals List by DoJ.
Embracing hackback and finding a way to allow it legally and with proper oversight will amplify US cyber power, and provide the operators an outlet for this activity without having to leave US jurisdiction or work for foreign countries against national interests. Allowing American corporations to conduct or hire hackback services would also help address corporate complaints that the US government does not provide sufficient protection from foreign cyber attackers.
The Cyber Lunarium Commission has already discussed one organization that could be placed on this list - the Islamic State of Iraq and the Levant (ISIL). Placing terrorist organizations that operate in cyberspace (especially given that economic sanctions are less effective against these types of actors) on the US Reprisals List would give the United States another avenue to fight terrorism without expending enormous amounts of government resources. The subsequent sections will discuss additional types of organizations that could be placed on the US Reprisals List.
Non-State Criminal Actors
Organized non-state criminal actors, such as Brazilian banking trojan operators, or large cyber-criminal enterprises such as FIN7, would be prime targets for inclusion on Reprisals Lists for targeting by CLoMR organizations. Cyber-criminal organizations stole approximately 3.5 billion US dollars in 2019 alone, and can be just as detrimental to US national security as state-sponsored attacks. This is especially the case if cybercriminal organizations have connections to governments and can operate on their governments’ behalf.
While US and international law enforcement action can counter these actors when they break the law, victim companies have few ways to deter attacks - other than simply pursuing strong defensive cybersecurity. Private sector companies could employ groups operating under CLoMR to hackback against Reprisals List-designated attackers - allowing them to destroy copies of stolen data, as well as to proactively deter attacks.
As financially (rather than national mission) motivated actors, criminal actors are likely to be more easily deterred from attack than foreign governments. If the cost of attacking a CLoMR-protected company becomes too high, or attackers are simply unable to profit from this activity due to hackback response, these actors are likely to be deterred, attacking other non-US targets instead.
North Korean Cyber Criminals
While cyber criminals in general harm individual people and corporations, the Democratic People’s Republic of Korea’s (DPRK) cyber crime activity presents challenges at a much larger strategic level. Funds captured through DPRK cybercriminal efforts fund nuclear development programs, a serious and credible threat to global security. DPRK cybercriminal activity itself occurs at a volume and complexity beyond the US’s ability to counter with traditional law enforcement action and defensive cyber activity such as DHS’ “Hidden Cobra” bulletins. Without a more effective policy towards the DPRK that enables broader, active engagement to defeat or deter this activity globally, or diplomatic breakthroughs with the DPRK, the Hermit Kingdom’s criminal operations will likely continue unabated.
While thus far, the DPRK has mainly targeted non-US banks for direct theft, if the country were to target US banks, CLoMRs could be used to shut down DPRK operations, or even potentially recover stolen funds. CLoMR holders would be allowed to keep some portion of the captured funds, while returning the rest to the US government for redistribution back to victims of theft.
In more aggressive operating concepts, the DPRK government and its officials (as determined by US government analysts) could also be placed on the US Reprisals List, making organizations led by and assets owned by these individuals fair game for targeting. This kind of targeting could be authorized in response to aggressive cyber activity similar to the 2014 Sony Pictures Entertainment hack (during which North Korea also threatened the physical safety of US theater-goers), or simply in conjunction with traditional sanctions activity. In this scenario, second-order effects on otherwise legitimate banking corporations and the global financial system would need to be prevented.
Using CLoMRs to target an adversary nation and its leadership could be seen as “escalatory” or “norms violating.” However, there is a case for aggressive action given the Hermit Kingdom’s pariah status on the world stage, and the widespread condemnation of its globally destabilizing activities in nuclear weapons development and testing, counterfeiting, narcotics trafficking, assassination, and cyber crime - among other activity.
In perhaps the most controversial concept of operations, CLoMRs could be deployed as a deterrent and reprisal mechanism against foreign corporations that have violated US laws and threaten US national security. For example, Huawei, a company accused of engaging in IP theft, violating international sanctions, and acting as an espionage front for the Chinese government, has clearly violated US law and endangered US national security. The company and its leadership have already been the target of international law enforcement activity, most notably with the arrest of CFO Meng Wanzhou in Vancouver in 2018. For egregious cases - such as Huawei’s - where traditional statecraft, sanctions, and criminal charges have failed to deter corporate misconduct, CLoMR could provide an additional tool for reining in this behavior.
A variety of possible concepts of operations for reprisal against designated foreign corporations are possible. Ultimately, decision making around the appropriateness of reprisal measures would be the responsibility of Congress and the interagency process, and would require significant input from economically-focused stakeholders (SEC, Treasury, FTC, Department of Commerce, etc). Reprisal concepts which are highly norms violating, or precedent-setting in a way which is harmful to US economic interests would likely not be allowed - e.g., IP theft, stock short selling on the basis of hacked information, etc.
This post has explored the possibility of cyber letters of marque and reprisal. Closer to historical maritime letters of marque than the CLoMs discussed in previous posts, CLoMRs would involve funding coming from third parties or from the spoils of operations themselves. Of the various CLoM concepts explored in this series, CLoMRs are the furthest from notional contemporary cyber norms, but they may have substantial utility and are worth exploring.
In this section, we offer an overall discussion of the cyber letter of marque concept explored in this four part series. The commissioners of the Cyber Lunarium Commission would like to acknowledge the friends, peers, and strangers who offered feedback on our posts over the past few weeks. We hope to acknowledge their feedback and questions in this section.
Our four posts have focused on ways in which CLoMs would be helpful to the US cyber mission addressing immediate mission needs. Whether CLoMs would continue to be appropriate or effective in future operating environments is unclear. We believe that there may be a place for privatized cyber operations as a force multiplier or enabler for traditional governmental operations, but that CLoMs should never fully replace government operations.
Ultimately, responsibility for decision making around CLoMs rests with the government itself - requiring both Congressional action and Executive Branch orchestration. Any actual use of CLoMs would require extensive interagency coordination, Congressional buy-in, and the identification and engagement of private sector actors to actually carry out these operations. With these initial four publications, the Cyber Lunarium Commission has made an argument for the use of cyber letters of marque as a force multiplier, and explored a range of operating concepts under which CLoMs would be a useful tool. We hope to spur legislative action on this front, and we encourage policymakers to consider innovative solutions such as CLoMs as solutions to our national problems in cyber offense and defense.
In challenging times, CLoMs could be used to offload operations - as explored in CLC#002, allowing CLoM operators to take over counter-ISIL operations in order to free up US Cyber Command resources for more important mission needs. While critics could compare this type of activity to controversial proposals to outsource warfighting with private military contractors, CLoMs are fundamentally different. In contrast to traditional PMC activity, CLoM operators would just be operating in a single “domain” of warfare - cyber.
While DoD and NATO have declared cyber to be co-equal with the other four domains of warfare, in many ways, the risks associated with privatized cyber operations are much lower than in any domain. Cyber operations can cause immense economic damage or even loss of life, e.g., when critical infrastructure is attacked, but the narrow scoping associated with counter-ISIL operations could prevent CLoM holders from targeting such infrastructure (if the group even has any of consequence). Unlike in kinetic operations, where civilian non-combatants can be killed or seriously injured, the risks of war crimes occurring during these sorts of cyber operations is minimal, with incidentally mis-targeted bystanders suffering a violation of digital privacy, or perhaps at worst, a “bricked” computer.
We believe that the AaaS concepts explored in CLC#003 - IoT or otherwise, have considerable staying power and may be worth exploring for cyber operations going forward.
As 0day exploitation becomes more challenging in the face of hardware and software mitigations, rapid update cycles, and more mature secure software development lifecycles within technology companies, procuring, testing, and integrating exploits developed by third party private sector groups will become more challenging for the government. Coincident with this trend, the increased difficulty and specific domain knowledge needed to discover and develop modern exploits will raise salaries for technical specialists able to keep up, driving them into the private sector and to firms able to leverage economies of scale through non-exclusive sales (e.g., being able to afford an expert in say, V8 JIT bugs, because they sell exploits to multiple agencies).
Even understanding the properties of a particular exploit for operational use will is becoming challenging, as computer systems increasingly lean on software sandboxes and hardware-supported data protections such as SGX, while also becoming more fragmented between CPUs, GPUs, secure enclaves, basebands, wireless SoCs, and a host of other abstractions.
For all of these reasons, pushing out initial access operations closer to exploit developers can allow for more rapid and effective cyber operations. While CLC#003 explored the simple case of IoT AaaS, other concepts of operations are also plausible, such as a government customer providing a payload to be executed on the baseband of specified target phones, or purchasing credentials to login to a hardened device which required seven “chained” exploits to compromise.
Obviously, these sort of AaaS operations would require closer coordination between the government and the 0day cottage industry than currently exists - including clearances, secure facilities access, closer vetting of uncleared employees, etc. This topic, as well as the need for better security in the offensive capability supply chain, may be explored in future CLC publications.
Aside from the obvious technical benefits of AaaS, on the legal front, foreign nations have already embraced the concept of operations, at the very least proving it’s efficacy, and challenging the US’s operational agility.
CLC#004: And Reprisal
One point of contention between the commissioners of the Cyber Lunarium Commission while writing CLC#004 was the possibility of using CLoMR authorities to enable financial gain through stock market short selling. Ultimately, while this idea is tempting, it is particularly norms violating and against US interests, as it negates multiple treaties the US has signed. Further, the act itself could invite foreign attacks against Wall Street, an economic powerhouse unmatched by any foreign nation. For this reason, we do not recommend the pursuit of this concept, but offer our notes on the concept below based on the debate between the Commission’s members.
Intelligence-based operations could allow CLoMR holders to seek intelligence about target companies through active penetrations into their networks. Company earnings information could be stolen before public release, giving CLoMR holders an edge on the market. In more aggressive operations, derogatory information from target companies could be recovered, and then released as the basis for stock short selling.
In these short selling scenarios, CLoMR holders could use information obtained through CNO to enable financial gain through the stock market. As external operators, CLoMR holders would not be engaging in insider trading. While CLoMRs present a particularly aggressive approach to collecting corporate intelligence, there is precedent for short selling stocks on the basis of original investigative research paid for by hedge funds. For these operations to work, however, CLoMR holders could be indemnified from not only criminal statutes against hacking, but also civil claims and SEC regulations. This was objectionable to a majority of Cyber Lunarium Commission members.
In the most aggressive operations, holders of these CLoMRs could be authorized to conduct offensive cyber operations (deny, degrade, disrupt, destroy) against target companies. Rather than shorting stock on the basis of adversarial intelligence captured from target companies, in these operations, the very knowledge of time and destructive magnitude of attack would provide CLoMR holders with valuable financial insight. However, similarly to taboos against government employees gaining financially from their classified knowledge or access, the we also recommend against this option.
This concludes the Cyber Lunarium Commission's cyber letters of marque series. In future publications, we look forward to exploring other topics of national strategic importance.