Inside Cyber Warfare - Jeffrey Carr [115]
At a time when cyber attacks threaten global security and states are scrambling to find ways to improve their cyber defenses, there is no reason to shield sanctuary states from the lawful use of active defenses, and every reason to enhance US defenses to cyber attacks by using them. Selectively targeting sanctuary states with active defenses will not only better protect the United States from cyber attacks but should also push other states to take cyber attacks seriously as a criminal matter because no state wants another state acting within its borders, even electronically.
Using force against other states may sound like a harsh measure, but states that wish to avoid being the targets of active defenses can easily do so; all they must do is fulfill their duty to prevent cyber attacks.
Lieutenant Commander Sklerov is a native of upstate New York. He received his Bachelor of Arts from the State University of New York at Binghamton, his Juris Doctorate from the University of Texas, and his Masters of Law in International and Operational Law from the US Army Judge Advocate General’s School. He is admitted to practice before the Texas Supreme Court, the US District Court for Southern Texas, the US Court of Appeals for the Armed Forces, and the US Supreme Court.
In June 2006, Lieutenant Commander Sklerov reported to USS NIMITZ as deputy command judge advocate. While on NIMITZ, he deployed twice and served as officer of the deck (Underway) during combat operations in support of OEF and OIF. He is currently stationed at Naval Base Kitsap Bangor in Silverdale, Washington, where he serves as the staff judge advocate for Submarine Groups NINE and TEN (also known as Submarine Group TRIDENT).
* * *
[40] The views expressed here are those of the author and do not necessarily represent the views of the Department of Defense.
Scenarios and Options to Responding to Cyber Attacks
The following are fictional scenarios various government and private organizations come across for which there is insufficient legislation or frameworks to guide them in deciding on a proportionate response to cyber attacks.
With these scenarios I have provided a list of options for response, to assist in the creation of future legislation governing such responses. As of this writing, some of the options considered here are either not legal or may be legally questionable.
Scenario 1
TeraBank, a financial institution with 5,000 employees, is forwarded a phishing email from 10 of their customers. The phishing attack prompts users to click on a Internet link to provide their online banking credentials and “validate their account.”
Option 1
TeraBank contacts the Internet hosting provider of the phishing website linked to in the email and requests the website be taken down. The hosting provider will usually take down the phishing websites, but by the time that occurs, the phishers may have received hundreds of bank account credentials from TeraBank’s customers.
Option 2
TeraBank forwards the email to other organizations, such as law enforcement. Law enforcement will recieve many of these phishing emails, and as they are constrained by national borders, they would most likely do nothing. Some organizations, such as Internet service providers, may respond to this phishing attack by blocking access to the phishing site for their customers.
Option 3
TeraBank, using an automated computer program,