Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, cyber attack, Cyber Exploitation, deterrence

Steven Chabinsky (Crowdstrike, ex-FBI Cyber Division) talks private sector cyberdeterrence at ABA’s NatSec Law conference

I also had the opportunity to attend the ABA Standing Committee on Law and National Security’s 22nd Annual Review of the Field of National Security Law in Washington, D.C.  The conference is just wrapping up today, and was a great event.

Yesterday (11/30) the ABA invited Steven R. Chabinsky–the Senior VP, Legal Affairs & Chief Risk Officer of Crowdstrike, Inc. and prior Deputy Assistant Director of the FBI’s Cyber Division–to give a keynote lunchtime address titled “How Today’s Cybersecurity Problems are Reshaping National Security Law.”  It was, in short, a fantastic talk.  I’d like to discuss a bit of what he said.

Mr. Chabinsky started with the proposition that there is no such thing as cyberlaw.  In fact, he argued that in their day to day national security capacity, each member of the ABA’s conference was practicing cyberlaw.  The point was that whatever we consider cyberlaw to be, it is still far from established.

Moving on from that point, Mr. Chabinsky argued that the cybersecurity problem was, in reality, a technology problem.  He noted cyber vulnerabilities in cars and biomedical devices, saying “our nation’s citizens are vulnerable” and “targeting doesn’t have to mean Stuxnet.”  One line I loved: “you believe the display you’re watching is accurate,” but in reality, cyber specialists have the ability to manipulate displays to tell you everything is okay when it’s clearly not.  Furthermore, the U.S. has to realize its use of cyberweapons (like Stuxnet) will work both ways: we’re setting normative behaviors when we use such weapons, and unlike a bomb, a cyberweapon “doesn’t go away when you launch it.”  People are going to discuss, dissect, and possibly redesign it.

Then Mr. Chabinsky got to the topic I had waited for with baited breath: the role of private companies in cybersecurity.  He said that private companies are having discussions about taking action on their own in cyberspace because they don’t believe the government can handle it.  Furthermore, things aren’t getting better.  Congress is not passing effective legislation, but rather, arguing amongst themselves.  In the interim, the private sector suffers from cyberespionage.  “Everyone knows you can’t win on defense,” we can’t keep relying on the mindset of gates and guards, and we need to go after the bad guy.  “It will be a national security and law enforcement prerogative to involve the private sector in threat deterrence.”  This becomes especially relevant because, according to Mr. Chabinsky, we’re seeing increasing crossover between nation-states, terrorists, and criminal groups.

The talk then transitioned to the question and answer phase.

I forgot the question, but I love his response regarding the infection of SIPRnet by those flash drives: we keep talking about wake up calls, but “the snooze button has been hit 20 times.”

Regarding attribution, Mr. Chabinsky didn’t think it was as huge a problem as people make it out to be.  Direct attribution to a single person is still tough, but there is a greater chance of attributing conduct to a nation-state.

There was, at some point, a question about the legality of hackback.  Mr. Chabinsky noted there is a bit of unease about the idea of the private sector taking punitive measures.  However, he drew a distinction between punitive measures and the private sector taking stabilizing actions until they can handoff to the situation to law enforcement or the intelligence agencies.  I really loved this idea.  It’s not so much beating the guy who stole your wallet, but pinning him to the ground until the cops come.  Mr. Chabinsky drew in 4th amendment/exigent circumstance parallels, arguing that notions common in other areas of the law could be relevant here.  Indeed, it’s a shame that the U.S. “has the most capable, innovative private sector that is not involved in threat deterrence.”  My commentary: I really, really like this idea.  A lot of people are uneasy about hackback because it seems like some form of vigilantism or reprisal.  If we frame it as not a method of reprisal, but rather, as something a company can use before the government gets on the scene, it’s easier to swallow.

Paul Rosenzweig (of Lawfare fame) had a great question as to how we could square hackback with international law, especially in the context of some sort of government supported hackback regime.  Mr. Chabinsky suggested that we need to have international norms in this area and segregate out in advance when and where we can do certain things.

This is, of course, my incomplete paraphrase of Mr. Chabinsky’s talk at the ABA conference; I don’t mean to put words in his mouth, so take what I’ve written as you will.

In any event, it was a wonderful talk, and probably one of the most forceful and persuasive arguments I’ve heard regarding the private sector’s role in cyberspace.

Again, all credit to the ABA (and of course Mr. Chabinsky) on this one.

***

It’s been a while, but if you’re interested, @cyberlawblog for our Twitter account.

Leave a Reply