Reverse Deception: Organized Cyber Threat Counter-Exploitation (54 page)

Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online

Authors: Sean Bodmer

Tags: #General, #security, #Computers

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation
6.5Mb size Format: txt, pdf, ePub
Interpret a statute so that it makes sense rather than leads to some absurd or improbable result.
Track down all cross-references to other statutes and sections, and read those statutes and sections.

 

The terminology for IT and cyber technology is constantly evolving. To stay on top of the language, and also to find a place with clearly written definitions that you can use to help in your discussions with lawyers, try Webopedia (
www.webopedia.com
). This website is an excellent resource because it is kept up to date, and the editors do a phenomenal job of covering the spectrum of technical terminology. In fact, it is probably the best resource for technically precise explanations and definitions available on the Web.

Communicating with Lawyers

When dealing with lawyers, the importance of clarity of thought and expression cannot be overemphasized. Lawyers use language with precision, and one of the most frustrating aspects of dealing with lawyers is saying precisely what you mean. All too frequently, misunderstandings arise because of lack of precision in both written and spoken words.

You will be miles ahead of your counterparts if you can develop the skill of communicating more precisely. You may believe that a lawyer is splitting hairs by perceived “wordsmithing,” but we can assure you, counsel is reaching out to understand and translate what you are saying into a specific picture that most accurately represents what you are presenting, in a legal sense.

When you get together with your lawyers at the outset of planning, you will be able to scope out your operations and explain them in technically precise yet easy-to-understand language. From a lawyer’s perspective, you’ve already distinguished yourself from the typical techie as someone who’s really concerned with being understood. By that, we mean many IT professionals are so focused on the technical details (which are, of course, the nature of the job) that they take for granted that everyone understands what they’re talking about. And in most IT professional-to-IT professional cases, this is true. However, the manner in which you speak to a lawyer should be different, and that difference is precision of language.

Even if you are tech-savvy, it is still a good idea to review the definitions of terms you are familiar with. You are likely to find plain language that is more easily understood than that you ordinarily use.

Taken as a whole, improving the precision of your language and doing enough legal research to help you understand the context of the operation you are proposing will go a long way to improving the dynamic of the working relationship you’ll have with your lawyer. Ideally the clarity and precision of your communications will improve over time the more closely you work with legal counsel. As an IT professional, it is not expected that you take a course on legal research and writing just to be able to work with a lawyer. A far more effective approach would be to create a dialogue, within the working relationship with a lawyer, and strive to improve communication together.

Ethics in Cyberspace

Beyond the legalities of your actions, you should also be thinking about your ethical responsibility in cyberspace. Yes, even in cyberspace (especially in cyberspace), you should be thinking about the ethical implications and ramifications of your actions. As practitioners on the frontlines, you are individually, if not collectively, shaping and sometimes chipping away at the very edges of what may one day pass for the ethical status quo. Put another way, your collective hands are on the lid to Pandora’s box. What is unthinkable today may be happening tomorrow, thanks to the cutting of ethical corners or failing to do the right thing.

Ethics in cyberspace is a relatively new area for the legal ethicist. Most ethicists aren’t practitioners and therefore don’t often deal with issues concerning deception in the context of network defense. Their focus is largely on the protection of privacy of the individual.

Once you move to the realm of network defense, you are dealing with adversaries who by law are not where they are supposed to be. In almost every instance, the intruder made his way into the network illegally by essentially trespassing.

There is a very well-developed legal framework to deal with intruders, and as one of the “good guys.” your responses are bound by that framework. You can expect to work closely with legal counsel to ensure that your operation is legal, but it is still somewhat rare to have discussions about the ethical implications of your actions with legal counsel. But this does not mean that there are no ethical consequences to your actions. Even if your specific operation does not push ethical boundaries, taken collectively, the actions of you and your colleagues just may.

It would be easy to take the position that as long as it’s “legal,” you don’t need to give any thought to ethical ramifications. You can imagine how this could lead to a less comfortable future for all of us. In this context, lessons learned from the kinetic world (armed conflict) are insightful. Depending on your age, the only armed conflict that has happened in your lifetime may be asymmetric, characterized by combatants not in uniform, without allegiance to a nation state and who don’t play by the rules of armed conflict. In the recent past, we’ve seen the law grapple with the difficulties of dealing with enemy combatants (such as struggling with the definition of an enemy combatant), to dealing with torture and questions of jurisdiction for prosecution of their alleged crimes. Up until this time, the law of armed conflict was well settled with regard to the treatment of combatants. Politics aside, asymmetric warfare forced national leadership to address these legal issues, sometimes with less than ideal results, particularly from an ethical perspective.

For the Department of Homeland Security—with its responsibility for the .gov infrastructure, United States Cyber Command (USCYBERCOM), and .mil infrastructure, and the recognition of the “responsibility void” with regard to the .com infrastructure—dealing with asymmetric or patriotic hacker threats presents many of the same dilemmas and impediments. Probably more than any other obstacle, the problem of attribution has served to impede the resolution of the central ethical dilemma regarding transnational persistent threats. It will be difficult indeed to address attribution in a vacuum devoid of ethical consequences. When dealing with adversaries who are not bound by our rules, but rather wish to exploit those rules, it may be tempting to want to loosen our ethical constraints, if not laws, to more squarely address the adversary. This tension is always present, especially when blending or merging legal authorities. Even if you work exclusively in the private sector, you need to remain aware of this tension and how your actions may impact this balance.

Conclusion

This chapter provided points of consideration to the IT/cyber professional on how to be a better client to a lawyer charged with the responsibility for providing legal advice and guidance regarding proposed or pending operations. The legal landscape of cyberspace is a dynamic and seemingly ever-changing environment. For those who are not lawyers, knowing the information about your operational strategies and plans of value to your lawyer can significantly reduce the amount of time needed to understand the legal options and ramifications of your operations.

Learning to communicate more effectively (precision and clarity) with your lawyer is an important first step. You would do well to explain technical jargon and terms in the plainest possible language, while asking questions about aspects of the law that are not clear. It can be just as confusing for a lawyer trying to speak geek. Remember that you are gathering background information in preparation for working with counsel, not to replace the lawyer. This is not to suggest that you can’t have a productive working relationship with a lawyer if you have not done extensive background research on the relevant legal issues. A happy medium is probably the best approach.

If you have a general sense of the law, it can be of value in developing strategies and plans to address your operational needs and requirements, especially if you do the development work in collaboration with your lawyer. Most lawyers would prefer to be involved from the beginning stages, to ensure legal compliance, rather than be handed the operational plan at the eleventh hour.

Probably the most efficient way to stay on top of legal issues in IT and the cyber realm is to follow one of the many blogs and websites dedicated to that area of the law. From there, if you need to research laws that are specific to your planned operation, a reasonable review of applicable state and federal law is prudent. Of course, cyberspace transcends international boundaries, and can involve international law and treaties. Being familiar with applicable laws as they relate to your planned operation is a good idea, and doing legal research can be helpful; however, it is ultimately the lawyer’s job to understand and navigate this complex terrain.

CHAPTER

6

Other books

Death on the Mississippi by Forrest, Richard;
Remainder by Tom McCarthy
Ginny by M.C. Beaton
Exiled by Workman, Rashelle
The Book of Skulls by Robert Silverberg
Dead Heat by Linda Barnes
Flight of the Stone Angel by Carol O'Connell
Inked Chaos by Grace, M. J.
Speaking for Myself by Cherie Blair