Consideration of Intent in Cyber Public Policy
By Donna Gallaher, CISSP, C|CISO
In my last article, “Striking a Balance in the Grey Zone,” I suggested standardized licensing of Digital Forensic Investigators (DFI) to move the conversation of active defense governance forward. However, CISOs can get a lot more out of passive defense with a lower risk to their organizations by some minor changes to current laws. This article lays out the case for amending current laws to incorporate “intent” in the prosecution and disposition of cyber cases.
Last month, I attended a panel discussion at Cyber Summit Atlanta that included members of the law enforcement and legal communities. I asked them, “If a bad actor exfiltrated dummy data from a decoy server I had placed on my network, would that incident be treated the same as if real data had been stolen?” I was somewhat disappointed by the answer I received. Although exfiltrating any data from a network without permission is a crime, prosecutors consider the actual harm suffered by the victim when choosing whether to pursue a criminal case against a suspected offender. In cases where only dummy data is taken, there is limited harm, if any. However, consideration of intent in criminal prosecutions for cyber cases has several benefits for companies and the industry.
Intent and the Law
The importance of a person’s intent in a crime is not usually a factor, but there is precedent in considering “intent” in public policy under certain circumstances. For example, in a crime involving a sexual predator and a minor, the law provides for prosecution based on intent. Law enforcement places adult agents in chat rooms and/or other social situations rather than placing actual children in harm’s way. Predators who prey on undercover agents are treated as if the agent was an actual child.
I propose that applying “intent” to cyber crime policy has several benefits and should be considered. Similar to placing a decoy child in a chat room, companies should be allowed to place decoy servers on their network with databases that impersonate actual customer records and have the penetration of these systems treated as if the actual data was breached.
Benefits of Using Dummy Database Records
Treating dummy data as if it were real customer records would serve as an effective deterrent to cyber criminals and would allow for improved concealment of actual data through obfuscation. With the cost of computing decreasing, companies may choose to place an ocean of decoys on a network to conceal the real database in the crowd of servers and to gather intelligence about criminal behavior. A cyber criminal stumbling onto a decoy server containing a similar number of fake customer records as the actual database results in several positive outcomes for the company:
1. With no actual customer data taken, the incident may not qualify as a reportable data breach. Therefore, there is no stigma for a company when reporting such an incident to law enforcement. Customer breach notification processes would not have to be initiated and no reputational damage would be suffered by the company.
2. During the incident, the company may collect valuable intelligence which may provide insight into the criminal’s behavior. This intelligence may be shared with other companies and law enforcement for the prevention of other cyber crimes.
3. The criminal may not know that the stolen data is fake and may suffer a lack of credibility on the dark web when trying to sell the stolen dummy data. These “bad records” will drive the cost of all stolen records down or the criminal will have to perform extra work to validate that the records are real (which creates another opportunity for them to make a mistake). In either scenario, the enticement for engaging in cyber crime becomes less attractive.
4. The criminal may be deterred from attempting to steal data from your company with the increased probability of only retrieving dummy data, the increased risk to their reputational damage on the dark web, and possibly the risk of getting punished with the same legal penalty as if the stolen data were real.
5. If a stolen decoy database includes the same number of records as an actual production database and the prosecution considers intent, the monetization of the loss will be the same. Monetization of data is important to boards and executive teams when considering budgets and may illustrate an increased probability of a particular risk that allows for better decision making.
6. The company may avoid some of the risks associated with other active defense tactics and the management of digital forensic investigators.
Summary
Although I fully support the licensing of digital forensic investigators (DFIs) to support a more active national cyber defense, I would recommend first exhausting options for passive defense due to the lower risk for a company. Information sharing from active defense techniques and true transparency may take years to perfect, but sharing information related to dummy data is a much more comfortable conversation to have with CISOs and General Counsels, and companies need additional tools in their defensive arsenals. Maximizing our passive defenses through legislative improvements in the treatment of stolen data while working out our information sharing challenges will lay the groundwork for more advanced information sharing that may come from later active defense legislation. This will serve as an effective deterrent while the certification standards and training is developed.
What do you think? Please contact the NTSC at info@ntsc.org and reply to this article to let your voice be heard.