Lawfare Daily: Sezaneh Seymour and Brandon Wales on Private-Sector Cyber Operations

Alan Rosenstein

The following podcast contains advertising to access.

Brandon Wales

An ad free version of the Lawfare Podcast. Become a material supporter of lawfare@patreon.com lawfare that's patreon.com Lawfair also check out Lawfare's other podcast offerings, Rational Security Chatter, Lawfare.

Alan Rosenstein

No Bull and the Aftermath.

Cezanne Seymour

If you're running a business, you know that every time you miss a call, you're leaving money on the table. When every customer conversation matters, you need a phone system that keeps up and helps you stay connected 24 7. That's why you need OpenPhone. OpenPhone is the number one business phone system that streamlines and scales your customer communications. It works through an app on your phone or computer, so no more carrying two phones or using a landline. Plus, say goodbye to voicemail. Their AI agent can be set up in minutes to handle calls after hours, answer questions and capture leads so you never miss a customer. OpenPhone is offering our listeners 20% off of your first six months at openphone.com tech. That's O P E N P-H-O-N-E.com tech and if you have existing numbers with another service, Open Open Phone will port them over at no extra charge. Open Phone no missed calls, no missed.

Paige

Customers this is Paige, the co host of Giggly Squad. I use Uber Eats for everything and I feel like people forget that you can truly order anything, especially living in New York City. It's why I love it. You can get Chinese food at any time of night, but it's not just for food. I order from CVS all the time. I'm always ordering from the grocery store. If a friend stops over, I have to order champagne. I also have this thing that whenever I travel, if I'm ever in a hotel room, I never feel like I'm missing something because I'll just Uber eats it. The amount of times I've had to Uber eats hair items like hairspray, deodorant, you name it, I've ordered it. On UberEats. You can get grocery alcohol everyday essentials in addition to restaurants and food you love. So in other words, get Almost anything with UberEats. Order now for alcohol, you must be legal drinking age. Please enjoy responsibly. Product availability varies by region. See app for details.

Brandon Wales

The threats that we are facing in cyber have not been sufficiently managed using the tools that we have. To date, they have not sufficiently worked. We still have a ransomware epidemic in this country. We still have nation states that operate with near impunity in cyber. They're Looking for additional tools, and hackback is one of them.

Alan Rosenstein

It's the Lawfare podcast. I'm Alan Rosenstein, associate professor of law at the University of Minnesota and senior editor and research director at lawfare. Today I'm talking to Cezanne Seymour, former senior editor at the National Security Council, and Brandon Wales, former executive director of the Cybersecurity and Infrastructure Security Agency.

Unnamed Speaker

Most of our critical infrastructure is privately owned, and those companies make their own decisions about security investment and risk. But when things go wrong, it's the public that ends up paying the price. And sometimes the government has to step in.

Alan Rosenstein

Cezanne and Brandon are the authors of a new Lawfare research report, Partners or Provocateurs, which tackles the increasingly urgent question of whether the U.S. should authorize private companies to hack back against their adversaries. We discussed the framework they propose for evaluating such a policy shift from defining the objectives and scope of offensive operations to the complex questions of legal authority and liability for collateral damage. So I want to start at a kind of 30,000 foot level before we dive into the details of this really interesting paper and proposal that you have all published with us on Lawfare. The first question I have is why you chose the approach that you did, which specifically is to instead of laying out, let's say, a concrete proposal, here is how the United States should go about empowering private sector entities to do cyber operations instead to set out this kind of framework to give policymakers a choice of options. Why did you feel like that today, given what's happening in D.C. was the better way of going about this?

Unnamed Speaker

So why did we choose to not present a concrete proposal? One of the reasons is it's very easy to get lost in technical jargon in the cybersecurity conversations and forget that, you know, this is really isn't just about networks and hackers. It's really about national security risks that we're facing because of our systemically poor digital resilience. And the consequences aren't abstract. And it's a really complex issue, right? So we're talking about the risk of a hack making critical services unavailable, communities suddenly waking up with no power or water. You dial 911 and no one answers. You know, a company wakes up and finds that there are decades of cutting edge research are suddenly wiped from their systems, and the scale of the problem is huge. And the problem is really complex. And so one of the things that we're trying to do is just lay out a first principle series of questions that we think are worth a thoughtful dispassionate discussion to just even ask, what are we trying to accomplish here when we talk about offensive cyber operations and expanding participation to the private sector? Because this isn't a new issue, as you know, and as we've discussed before, this has come up multiple times. But really, I think we need to ask ourselves first principles. What are we trying to accomplish? What is the nature of the problem, and what are the risks and benefits? So that's really what we've tried to lay out here.

Brandon Wales

You know, I'll add on only building on the complexity point. I think what we really wanted to get across was that there are multiple layers of complexity around this issue, each of which requires careful consideration as part of any policy making process. And again, I think there's a broad sense that more needs to be done in this space. More needs to be done from an offensive cybersecurity, offensive cyber perspective, and that the private sector may have a role in that. And we wanted to give people options, different ways to think about it, different policy goals they could achieve, how they could handle different aspects of this challenge, from the kind of targets, the kind of tactics, the type of legal regime that we put in place. So instead of coming up with one answer that would just be ours, I think we wanted to help feed the policy process with the kind of information that will be essential for policymakers to come up with the best option at the end of the day, if this is something they really want to pursue.

Alan Rosenstein

Next, I want to try to define some terms, and I was hoping that you all could clarify the distinction between the different kinds of cyber operations that are at issue here. So in the lingo, there are defensive cyber operations, there's active defense, there's offensive cyber operations. To me, the lines have always seemed very blurry, especially in cases like the Sophos counteroffensive that you mentioned.

Unnamed Speaker

So.

Alan Rosenstein

So maybe you can speak to that as well. What is your best simple explanation for the differences between these different kinds of cyber activities?

Brandon Wales

I mean, I'd start with maybe like, the simplest way to think about it is defensive operations are things that you're doing on your own network. And offensive operations are when you're going to be touching someone else's network, an adversary's network, or potentially an intermediary network that an adversary is using to target you. So that's the clearest distinction. I think from there it gets complicated and it gets very nice and allotted to a gray area. Active cyber defense is a term that gets thrown out a lot. Some people buy that mean hack back where you're actually going out and targeting an adversary. Sometimes it means doing things on your own network to specifically disrupt an adversary's operation that might be ongoing. There's not clear legal definitions for this outside of what's covered by the Computer Fraud and Abuse act, which basically just prohibits any type of alteration of someone's computer that you don't have authorized access for. And I do think that as part of any regime, that could come out of this clarifying some of the boundaries here are essential. And I think that is one of the key questions that we ask. One of the key factors is what types of cyber activity are you comfortable enabling the private sector to do once they leave the boundaries of their own network?

Unnamed Speaker

You know, when you started, you said you see them as sort of like ill defined, squishy terms. And I had the complete opposite perspective when I started this work. Because really, when we talk about this, I don't know, Brandon, you tell me, like, in government, we talk about offense and defense, and we think about them as two, or at least I used to think about them as two circles on a Venn diagram with almost no overlap. And as we start to look through actually the types of activity that we see today, private sector operators doing there, it does feel like there's a little bit of overlap. Brandon mentioned the act of cyber defense, and there's already some stuff that's happening, you know, with permission, to the courts and et cetera. So it's interesting, I walked away with a very different perspective that some, some of the things that policymakers and others are really talking about wanting to happen may already be happening, and those serve as instructive precedents. The challenge may just be that they're not happening at scale or it's taking too long to be able to make them lawful to happen. If you have to seek civil cover through the courts, things of that nature.

Alan Rosenstein

Why write this paper now? And I ask because the debate over sort of hacking back, or however you want to call it, it's not a new debate. Right. It's been going on for many years. It has these ebbs and these flows. Why do you all feel like now is a good time to intervene in this debate? Is there, is there additional interest on Capitol Hill that you are anticipating or trying to affect? I'm curious about the timing component of this.

Brandon Wales

Yeah. So I'll. Mel Strauden and Suzanne can add in. There is certainly far more interest on the Hill than there has been in a long time. I testified in January. I got asked it from one or Two different members who are interested in it. There are members on both sides of the aisle have talked about it publicly, about the interest in doing this. Certainly there is a broader interest in expanding offensive cyber operations coming directly from the White House. So there is just a much broader interest right now, I think partly driven by the fact that there is a sense, an accurate sense, that the threats that we are facing in cyber have not been sufficiently managed using the tools that we have. To date, they have not sufficiently worked. We still have a ransomware epidemic in this country. We still have nation states that operate with near impunity in cyber. They're looking for additional tools and hackback is one of them.

Unnamed Speaker

Yeah, and the conversation has been persistent, really, because the scale of the problem is huge, as Brandon said, and it continues to grow. Right. So I saw a really instructive statistic just a few months ago that has always stuck with me. 50 years ago, like the total value of companies on The S&P 500 index was mostly in things like, you know, tangible assets like factories and inventory. I think it was over 80%. Today that's flipped. So over 90% of the S&P 500's value is in intangible assets like software, data, intellectual property. And it's those assets that Internet connectivity has enabled hackers, whether just malicious criminals or nation states, to go after and pre position in. And that's part of the reason why governments and security experts have continued to tell companies to focus on defense and get better at taking punches, putting energy into surviving and bouncing back from attacks, recognizing that security can never be perfect. Right. But status quo isn't enough. Like there are many things we could be doing. And this idea of like, why should we just continue to take punches? Why can't private companies punch back? Is I think the language that was used at Brandon's hearing keeps coming up. And that's part of the motivation now is like perhaps there's deterrent value to having basically the US Private sector unleashed in some way. Like perhaps threat actors won't target the United States in the way that they have in the past. I mean, there are all sorts of motivations here, but for sure, I think the scope and scale of disruptions is driving this.

Alan Rosenstein

So we're going to jump into the paper. But before we do, I want to ask one last kind of background question, and it's about your own background and how that informs how you approach this problem. So you both have had high level positions in the government working on these kinds of issues. Cezanne, you were at nsc. Brandon, you ran cisa. Now you're both in the private sector doing related work. And so I'm curious how those experiences, again, both on the government side and then on the private sector side, have informed this. And I'll just say I'll do a little bit of editorializing. I'm an academic and academics sometimes debate these interesting questions of hack back. And that's great and all, but there's sometimes an air of kind of unreality because often those of us who have interesting academic ideas about this don't actually know what it would mean to enable a private entity to go and do various cyber activities abroad. I think YouTube had the benefit of knowing much more on a day to day basis what that would actually look like. And I think it lends wonderful credibility to your analysis. But I don't know how do you see how your background has informed how you think about these kinds of issues?

Brandon Wales

The thing that I would hit on the most is having spent a number of years having been part of the conversations around how the US Government authorized, was authorizing its own offensive cyber operations. The process by which the government went through and considered potential targets, decided on them, debated how to use its offensive cyber capabilities. I most wanted to bring that to bear in considering expanding that, the role of the private sector in that space, that the complexity, the thoughtfulness carried forward because there are a lot of advantages to the very deliberate process the US government goes through. Now again, it does slow things down. It's not as fast and as nimble, and it doesn't have the benefit of scale, the potential that the private sector could bring to bear. But it makes sure that really critical issues are being considered. And I wanted to make sure that as people were thinking about expanding the role of the private sector, that they thought through those same questions, what kind of targets are legitimate? Where could those targets be located? What types of capabilities should be allowed, which shouldn't be allowed, the degree of which the US Government should be involved in these decisions. All of those have real importance for geopolitical and national security interests of the country. And they need to be part of this conversation. And so when Cezanne raised this idea to me, I wanted to jump right in because these issues are extremely, extremely important. And I saw them firsthand in the government as we went through them. And as we're thinking about expanding to the private sector, we need to have that same thoughtfulness as part of the policy process. And I think that's what this paper attempts to do.

Unnamed Speaker

Yeah. And one of the Things that has changed. So I've been out of government for a couple of years now and my perspective has changed dramatically. I used to see things exclusively through the national space security lens and I still do to a great extent, but I'm now at a cyber insurer. And one of the things that I have the benefit of is a ton of data and I understand a lot about just what's happening on the ground in terms of like, you know, real systems being attacked by real threat actors and how they fare and recover. And, and what I'm, what I'm seeing is, you know, truthfully, a lot of the incidents that we're seeing, notwithstanding the ones that are driven by malicious nation states like the Volt typhoons, are not that sophisticated. I'm also getting a much better appreciation for something we've been hearing agencies like CISA say for a long time, and that's that today we put a disproportionate burden for the security of our technology on the end users of technology. And that to me feels like if what we care about as a society is security, that's probably not the right policy. Like from a public policy perspective, that's probably not the right formula here. So I think it's important to engage in the hack back conversation because it's important to be open to any option but recognize that really a complex problem is going to require a complex solution. And this may be one of them. But thinking about these things just with an open mind is both timely and important.

Alan Rosenstein

So one thing you stress in the paper is the importance of getting very clear on the goal of all of this. What strategic objective are you trying to, would the, would the US Government be trying to achieve here? And there are a range of policy objectives, right? There's augmenting the government's capacity, there's disruption of adversaries, there's a bunch of other stuff. And so I'm curious, obviously these are all interesting and legitimate goals. In the kind of short term, what do you think are the sort of primary goals that policymakers should be thinking about, you know, in the next 18, 24, 36 months, that is relevant to how private sector involvement and hacking back, however you want to call it, can be used?

Unnamed Speaker

You know, I don't have a personal view. I just think one of the things that's happening is we're often talking about solutions and the way to structure legal changes without actually talking about what we're trying to achieve. So that's sort of thing. One, what's clear is like in the conversations that I've heard and some of the quiet conversations that are happening now. The goal really is to expand capacity, the ability to act more quickly than currently we can because we're limited to basically the US Government performing offensive cyber actions with certain narrow exceptions, that sort of thing. One thing, two, I think there's, there is an interesting thing in the United States where, you know, of course we don't. The US Government doesn't monitor private networks domestically. And so there is a bunch of data that private actors will.

Alan Rosenstein

That's, that's, that's what they would say, wouldn't. Wouldn't it?

Unnamed Speaker

Yeah, well, that is what I'll say. Having been in. I have a lot more information now that I did when I was in, when it comes. But there is an aspect of, like, participation that can actually complement the picture in a way that's, you know, advances our national security and resilience goals. So just laying out what the, what the specific goals are, I think is really important. We identify a couple of other country models we talk about in Estonia, like having just a bench of experts that you can call upon in the event that there's a national security issue that you can draw up just to immediately augment your bench, so to speak. So I think I'm generally open. There are certain things a private sector can do that government can't do, and I think that's important to recognize. But that's. That I think is a piece of what's missing in the conversation, actually across many policy circles, is that many are engaging in this conversation with different goals in mind. A deterrence is a big one. The idea that again, as I've said, like, if the United States allows private sector entities to hack back, like maybe as a, just as a region, we'd be last or as a country would be less interesting to, to criminals.

Brandon Wales

So, you know, I think Cezanne hit the point perfectly. So, you know, I'm not going to disagree anything with there. What I'm going to try to add is how I think policymakers should kind of reflect on all of the, the potential policy objectives we had in there, which is really a question of how do they, how does the government get the most out of the innovation and capability in the private sector? And there are a lot of ways of doing that. To date, it is focused on things like information sharing or a direct contractual relationship to support the cyber activities, both defensive and offensive, of the federal government as it moves forward. Even if it wants to have the private sector expand its role, there's not A one size fits all approach to that. They can have an expanded role without going directly into offensive operations directly hands on keyboard of hostile networks. It could be improving the ability to provide more insights into the government based on the enormous visibility that the private sector has. It could be lightening certain potential blockages and prohibitions on doing that. It could be expanded research and development and offensive tooling that will eventually benefit the government. But really the goal needs to be how do we get the most out of the private sector? Because that is really a strategic advantage for the United States. The thing that separates United States from places like China and Russia is really the vibrancy of our private sector. And we want to get the most out of that because that can add tremendous value, really does, every day on a defensive cybersecurity perspective. But if we want to get them more involved in the offensive space, let's identify the best possible way of doing that. That maximizes our advantages and minimizes the potential risks, some of which we identify in the paper.

Alan Rosenstein

So let's talk about the mechanics of how some of these proposals might work and we'll get into the legal questions in a little bit. Right now I just want to think more like on a day to day or hour by hour basis, there's some cyber intrusion, some private sector entity wants to respond in some way. What are the different models for how this might happen? Does the government just sort of give ex ante permission and say, good luck, let us know. Does the private entity go to the government and say, hey, here's what you'd like to do. How detailed is the government involvement? Just kind of walk us through the range of possibilities and sort of, what are the kind of high level pros and cons of different points on this sort of spectrum?

Brandon Wales

You know, I'll start, but I think as you note, each of these has a potential range of of options. You know, the degree at which the US Government is involved upfront and also in the midst of an attack, the government can have very light touch where it could just say it could have some licensing regime, or it could have some broad ex ante permission for the private sector to respond to cyber activity. It could broadly allow targeting of a certain class of actors. Alternatively, it could be much more involved having to approve individual operations. There would have to be a decision there. And again, there is a range of options. I mean, the more the US Government is involved, the more it controls the impact, the more it can provide its insight, knowledge and expertise, particularly in terms of the potential diplomatic and escalation risks from conducting certain operations, the less it's involved, potentially some of that information is not available to, to the private sector. On the other hand, the more the US Government is involved, the more it is likely to suffer from the similar type of bureaucratic processes that could slow down operations that proposals like that are being talked about are trying to solve for. If you're trying to speed up the speed and scale of operations, then you want to reduce friction, you want to reduce bureaucratic processes. Having the US Government heavily involved might run counter to that objective. So again, going back to the earlier conversation, identifying that objective and, and those sets of goals and objectives is critical because how you structure the program, including the degree of involvement and how you would structure the regulatory or statutory regime are essential.

Unnamed Speaker

Brandon has covered it beautifully. I would say that there, it seems to me in many of the conversations there are really two objectives here, just increasing the number of actors that can work in the space, given the scale of activity, but also the speed. So as you look at the different, we have a number of different proposals and setting aside how they would work legally, like, and those are illustrative, by the way, and they're not exhaustive. But like, the idea really is, are you going to give entities permission to basically act immediately when they're attacked or even preemptively if they see someone sniffing around their systems and they want to disable or, you know, try to identify the actor before they're basically hacked? There's the question of giving permission to those entities before or forcing entities to come to the government for permission after they're attacked, or granting permission that they can act once they're attacked. Like there are a bunch of different models, I would say it feels like, because we're trying to solve the speed problem and many of the proposals we've seen have been about licensing regimes. Right. So you identify specific actors that you, you identify have the capacity to do this work because it is not easy to do. Right. Have the capacity they can work at scale and you provide them clear boundaries to act. That seems to be the direction that many are going in. What is less clear to me, however, which we don't cover in our paper, is any entity that's licensed, are they going to be permitted to only defend their own networks or are we going to have like hack back as a service? Which is a little bit of a scary thought to think about, but that's another open question because we have many, many businesses that are being hit every single day. And you know, you can see that there will be demand potentially from some to actually seek this kind of assistance. And that, that's an open question, I think.

Alan Rosenstein

Is it an open question? It seems obviously what will happen like, like within 40 of you?

Brandon Wales

I think it'll be, I mean, I, I was talking about this with my team this week and literally the first question was like, oh, are we going to do a startup to, to support this effort? I mean, you know, that, that kind of idea, you know, percolating. I think that there will be, and in some respects it may be in the government's interest to have people who are the right level of expertise and capacity that would be licensed to do this, as opposed to making a bit more of a free for all with a lot less capability and a lot more potential downside risk from actors who don't know what they're doing, trying to engage in offensive activity.

Unnamed Speaker

And you know, there could be value if, especially as you think about the risk and there are so many different moving pieces, but maybe the goal is just sometimes identifying the actor and attribution. That's something that someone can do without, you know, without destroying or doing anything that can't be undone in an offensive cyber activity. Yeah, you're. I think you're right, Alan. I think even if on day one, that's not the action, I think eventually there will be a demand for hack back as a service. And this is the conversation that starts with that and ends with do you guys want to start a hack back as a service company?

Alan Rosenstein

Uh, you know, I'm, I'm, I'm around.

Paige

If you're an experienced pet owner, you already know that having a pet is 25% belly rubs, 25% yelling drop it. And 50% groaning at the bill from every vet visit. Which is why Lemonade pet insurance is tailor made for your pet and can save you up to 90% on vet bills. It can help cover checkups, emergencies, diagnostics, basically all the stuff that makes your bank account nervous. Claims are filed super easily through the Lemonade app and half get settled instantly. Get a'@lemonade.com pet and they'll help cover the vet bill for whatever your pet swallowed after you yelled, drop it.

Brandon Wales

Avoiding your unfinished home projects because you're not sure where to start. Thumbtack knows home, so you don't have.

Alan Rosenstein

To, don't know the difference between, between.

Brandon Wales

Matte paint finish and satin or what.

Cezanne Seymour

That clunking sound from your dryer is.

Brandon Wales

With Thumbtack, you don't have to be a home pro. You just have to hire one.

Alan Rosenstein

You can hire top rated pros, see price estimates and read reviews all on the app.

Unnamed Speaker

Download today.

Howie Mandel

There's the part of me that everyone sees. I'm Howie Mandel, the comedian. Apparently I know what funny is. Funny bought me a house. But I also know what isn't funny. Ocd. I've lived with ocd OCD my entire life and people throw the term around like it's no big deal. But OCD is severe, often debilitating. It's a mental health condition that involves unrelented, unwanted thoughts that can make you question your character, your beliefs, even your safety. General therapy can help with some things, but for ocd, it can actually make things worse. That's why I want to tell you about NO cd. NO CD is the world's largest treatment provider for OCD and is covered by Insurance for over 155 million Americans. Their licensed therapists specialize in ERP, the most effective treatment for OCD. If you think you might be struggling with OCD, go to nocd.com to book a free 15 minute call. They are here to help.

Alan Rosenstein

So maybe I'm. Maybe I just lack imagination. But I will say the spectrum that you all lay out, which I think analytically is totally the right to think about it, from very minimal, case by case authorization, where the company has to go to the government and ask, hey, we'd like to do this, and okay, you can do this, but you can't do that all the way to here you go, here's your license. Godspeed. That's obviously analytically the correct way of thinking about it. And honestly, if the speed concern is paramount, then I guess you would want to go to that more autonomous end of the spectrum. But it just seems to me that given the difficulty of attribution, the fact that you could be going against what you think is an attacker, but it turns out to be a totally innocent third party because the attacker routed their attack through some third party that they took over on the one hand. So attribution risk on the one hand, and then the escalation risk on the other, which is, okay, maybe this really is the Russians that are hacking you. Well, is the government really going to want to just sit out and let you take down the Moscow electricity grid? It seems to me that at least at the very beginning, no executive branch, maybe the Congress is different here, but no one sitting where you all sat. The two of you when you were in DC Though, don't let me put words in your mouth, would be comfortable with anything other than the most limited kind of, okay, you guys can press the button, but you know, we, the government, Uncle Sam is going to be behind your shoulder this whole time.

Brandon Wales

So I think, Alan, the only caveat that I would, that I would say is there's a big difference between authorizing, for example, a private sector to hack back against the infrastructure that is targeting them. Now, again, you raise. There's important points, as we discussed in the paper, around third. You know, this could be an innocent, an unwitting third party whose infrastructure is being used, but in terms of targeting the infrastructure that is being used and a broader kind of retaliatory strike. So if a Russian government actor from the FSB or the SVR or maybe a Russian ransomware group is launching an attack against the company, retaliating against separate infrastructure just to cause a disruption, to impose some kind of consequences, that really in my mind is likely to stay a US Government type of action where it's imposing broader consequences on the act, on that country as some method of either consequence or deterrence. I think that is different than authorizing the private sector to immediately to respond to the infrastructure that is targeting them and take it offline. That one seems more reasonable in that spectrum of potential options. And I think the government may be more willing to allow the private sector to conduct an operation that just directly responds to malicious infrastructure that is being used against them than they would against an unrelated piece of infrastructure in some type of retaliatory strike. Yeah, I don't see that as would be part of any type of serious policy proposal in this space.

Unnamed Speaker

The point about not always knowing who you're attacking, though, I think is a really important one. And it's one, I mean, you asked a few moments ago, like, how has our perspective changed? I mean, being, being in an insurance space, I think about who's responsible for collateral damage.

Alan Rosenstein

I mean, it's you at this point, right?

Unnamed Speaker

I mean, a lot of the time it's you, maybe. But the insurance community is really good about writing exclusions when we have difficulty pricing, right? So, I mean, we face an environment where there could be a lot of collateral damage and sometimes you won't even know that, that an incident, you know, that someone has lost, like, you know, you'll have business interruption claims. But there are a lot of different stats here that you can point to and people have different methodologies and whatever. But directionally, I think they're right that this one is a security scorecard stat, if I'm not mistaken, that they found that over 40% of ransomware incidents that they observed hijack innocent infrastructure. So you can. And you don't always.

Alan Rosenstein

I'm surprised it's. I'm surprised it's that low.

Unnamed Speaker

It sounds low to me too.

Alan Rosenstein

But like, I feel like it should be 100% of the time.

Brandon Wales

That's probably. Probably ones they can prove. They can prove 40%.

Unnamed Speaker

Yeah, I think that's probably right. Yeah. Because like, you know, these entities are really good. The other stats that I've seen and I don't.

Alan Rosenstein

When I do ransomware, I always route it through a third party. I mean, I just. That just seems like. Exactly. Among me and my buddies.

Brandon Wales

Right.

Alan Rosenstein

All the time. Always.

Unnamed Speaker

I mean, I saw some horrifying. So apparently I saw a stat that 95% of like phishing emails go through botnet infrastructure. And, and that's like. I mean, it's just, it's in. All of that is like obfuscated.

Brandon Wales

And certainly the more sophisticated attacks you go, the more likely it is. I mean, you know, something like volt typhoon 100% was routed through obfuscated infrastructure that was on small and home office routers. So, yeah, I mean, if you are directly responding to an attack on your infrastructure, most likely you are targeting a piece of hijacked infrastructure someplace. Could be in the US could be in Europe, could be somewhere else. But you are likely targeting an unwitting third party.

Unnamed Speaker

And that's why this is so complex. Right. And that's why it keeps coming up.

Alan Rosenstein

Yeah. There is a separate question to be had about whether it's such a good idea for all of our fridges and toilets to be Internet enabled and therefore immediately part of some Russian botnet. But we can have that on a different podcast conversation. Okay, I want to get in now to the legal part of this analysis. So before we talk about what sort of legal reforms could accomplish any one of the kind of large permutation of options, I want to talk about what the sort of status quo here is. In my understanding, the Computer Fraud and Abuse act is the main blocking statute. Obviously there's all sorts of international law dimensions. Let's just focus on US Law here. Is that correct? And is there any way around that without doing sort of major reform, really substantive reform of things like 1030 and whatever other relevant statutes there might be?

Unnamed Speaker

Yeah, I mean, my read, and I'm not a lawyer, but based on, you know, the, the extensive time we spent on this and frankly, the prevailing view of other experts in this field is CFAA has to be. CFA has to be addressed in some real way because under the Computer Fraud and Abuse Act. Basically any effort to access another, an outside system, an adversary system without authorization can trigger liability. So that is part of the reason why you do see a little bit of activity in this space like when the Microsoft, the Palo Alto's or the Googles of the world take down botnet infrastructure. But they're always doing it with the COVID of, you know, civil courts. So that to me feels like a reasonable place to start. Unless you're looking at, you know, maybe you don't need that if you're going through letters of marque. But that's, that's sort of a separate, a separate and I think maybe less likely case.

Brandon Wales

Yeah, I mean the bottom line is you'll need some type of congressional action either to amend the CFAA or to pass some other type of legislation that will give certain authorities, notwithstanding the cfaa, you know, the private sector, the ability to conduct something. But you're going to need some type of congressional action if you want to allow the type of hack back. That is the one that is most discussed. And I think the reality is corporate councils are going to demand that or else they're going to view the risk as simply too great to allow this kind of, you know, these kind of operations without very clear statutory clarity.

Unnamed Speaker

That's an important point because you could like, you know, you can write an EO tomorrow and like, I don't think anybody would wade into this space without that kind of legal certainty.

Alan Rosenstein

It worked for TikTok, which I just have to say because that's been my obsession for the last year. But yes, I take your point. No good corporate counsel certainly should just go on various unenforceable promises out of the White House. Fair enough, fair enough.

Unnamed Speaker

It's not just, you know, cfaa, there's also the Electronic Communications Privacy act is another that I think will become potentially triggered depending on what the activity is, where the action is.

Alan Rosenstein

But yeah, so Cezanne, you mentioned letters of Mark and I have managed to, to wait an entire 40 minutes before getting to ask about that. But letters of mark are always fun to talk about because I immediately think of cyber piracy or I guess cyber privateering maybe the more historically accurate term. So what are letters of Mark and reprisal and just explain why a 18th century legal concept which is in the Constitution could possibly be relevant to a 21st century digital problem.

Unnamed Speaker

Yeah, I mean, well, first of all, because they're really cool is like, I think the real answer.

Alan Rosenstein

I honestly have wondered because obviously people have talked about cyber letters of mark for Many years. And part of it is I've always wondered how much of it is because it's really cool, which is a perfectly fine reason to do policy.

Unnamed Speaker

Yeah, Well, I mean, I had this conversation with a colleague earlier this week. It's a congressional constitutional authority, as you say. Right. So they're like, well, we can do it now. And I'm like, yes, but it takes an act of Congress, which, as you know, living in Washington to is, you know, is not equ. If your speed is your, your, Your interest is probably not where. Where we need to be. But just as you note, this is a constitutional authority that's in our Constitution. Basically, there are instruments that give a sovereign authorization, I think is a language to private entities to do what otherwise might be unlawful acts of piracy or war. So essentially think of it as a license to, to steal, to act. I mean, the specifics would be in the actual letters of mark, but.

Alan Rosenstein

And it's a license under international law or under domestic law. I will always say it. Always. I was never fully understood when I, you know, I teach con law right to one ls. We don't spend a lot of time on letters of marque and reprisal. But, you know, I do read it every time I teach con law. And I've always wondered if the primary authority here is a domestic authority, which I would have assumed was already covered by, let's say, the Commerce Clause, or if it's an international law authority, but I would have thought they may be already covered by Congress's powers to regulate the law of nations or to create crimes regarding the law of nations. I always assume that what letters of mark are doing in the Constitution is that it is specifying that it is Congress, rather than, let's say, the President, who has the authority under international law to trigger letters of marque, which presumably in the 18th century were a recognized international law thing that a sovereign could do, hence privateering.

Unnamed Speaker

Yeah, I mean, they haven't been used since the Civil War. Right. So I don't, I don't think we fully really know, but they, they are very popular in the context of offensive cyber. They've also been proposed, as we found in our research, to seize or pillage assets from sanctioned entities, Russian entities in particular.

Brandon Wales

I think cartels.

Unnamed Speaker

Cartels like also. Yeah, cartels in the context, I think the fentanyl crisis. And so the reality is, like the, the domestic international question is, Is the right one. But ultimately I don't think a foreign government would recognize a cyber letter of mark.

Brandon Wales

Yeah, I mean, I Think a cyber letter of Mark would the private deter entity may have all the same legal liability in international contexts for any violations of, of the laws of other nations. Or possibly they could be, you know, they could be treated as if they are being done by the US Government because of the official sanction. I don't think we really know today how that would be handled because it just. They've not been used in this kind of context in more than a century. So, you know, we would. Those issues would need to be ironed out and I think there are going to be really important ones for if that is the chosen approach for the private sector that would receive these letters of marque, what the implications are both domestically and internationally for exercising them.

Alan Rosenstein

Am I right though then that again, Letters of Mark being very cool, Congress doesn't need to call this a cyber letter of mark, nor does it need to specifically point to the letter of mark provisions in the Constitution to accomplish whatever reforms of section 2, 231 would want to enable this on the domestic side. Is that, I mean, so I think cyber Letter of Mark, it's like a useful shorthand for the concept, but it doesn't actually have to be tied to this like specific constitutional authority of Letters of mark.

Brandon Wales

Yeah, I think that is our understanding. I think the only real issue is what does that mean for the international context? And then would they be covered under kind of US Government sovereign cyber action as similar to action that would be taken by military or intelligence services here? Would they be treated similarly on international law? Or will they, the private companies bear some separate responsibility?

Alan Rosenstein

And actually that's where I want to turn to next, which is the international law dimension to it. Right. Obviously the primary concern for US General Counsel is I don't want to violate 1030. But presumably you also don't want to violate international law. Or to the extent that you don't really think that international law is all that important, you don't want to violate someone else's law. Right. You don't want to violate ideally Chinese or Russian law. But fine, maybe you have accepted that. But what you really don't want to do is violate French law or UK law or Canadian law, because again, on the assumption that most of these attacks will be routed through innocent third parties, probably in friendly countries, because those friendly countries will have infrastructure that the US servers are probably more willing to, let's say, whitelist or allow through. You have a situation where you might take down a Canadian hospital or a French school or whatever the case is, and now you're in trouble. So how do you, to the extent that one can avoid that, and how much do corporate counsel care about foreign legal issues, even if they have clearance under, under U.S. law? And obviously there are a lot of different countries I'm asking to go to go country by country. But am I right to think that that is an important piece of this puzzle?

Unnamed Speaker

I think it's, it's one of the many, but one of the top issues that I think will be very difficult to resolve. I'm not quite sure how we resolve it. Especially, you know, we have many multinational companies that care, as you noted. Like, you do business in the United States, you also do business in Europe. And that global legal context is so important because, you know, as we parse out in our paper, some countries have sort of thought and integrated some public private cooperation in the offensive cyberspace. But if the US Moves in this direction, we would be the first to explicitly authorize, presumably independent operations, private offensive cyber operations in our national law. And then we're basically setting new precedent. I'm not really sure what would happen, frankly. And I think if I were advising just sitting inside of a company, we, we operate in many countries, and one of the questions for us would be like, is it even worth moving into this space or is the potential, you know, we talked about accountability, responsibility, liability, like, you know, is. Is the Gordian knot of potential unknowns so large that it's just not worth wading into the space. Space? And I don't really have a good answer to that.

Brandon Wales

Yeah, I mean, I don't have much to add because I think this, you know, Cezanne hit the, hit the nail right on the head. I mean, this is probably one of the most critical questions that will be facing any regime, which is if you want the regime to be workable, if you want people to actually use it, how do you address this issue? So any multinational company that has the, you know, that may operate overseas is going to have very careful consideration around using this authority because of the potential for criminal and or civil legal risk in third countries. Now, again, some smaller companies that don't operate globally, they may be more willing to use it, but again, then they're the ones that are less likely to have the kinds of capabilities and may not want to invest the resources in having teams that are capable of executing this kind of, this kind of operation. And so I think this. That's going to be a real challenging piece to address. Now, again, you may want to say you're authorized to conduct operations in certain Places, but not others. And, or you may just be willing to only conduct operations in places where you have lower legal liability. And so you're not going to conduct operations where you're, where you have locations. You're not going to conduct them in Western European countries, but you may be willing to conduct them in Iran or China directly. So that may be an outcome, but I'm not sure it's one that can be easily designed into a program from the start, given as we talked about the way in which most cyber attacks are routed through unwitting third parties.

Unnamed Speaker

And you know, as we talk about it, we get back to one of the questions that we raised in the paper, right? So we talk about your policy objectives and we talk about like the scope of authorized activities and within the kinds of activities that, that we would imagine private sector entities potentially performing. We bucket them into destructive and non. You could potentially see an environment where, you know, there's a global ransomware pandemic where allies agree that, you know, if, if the activity is just trying to identify what you believe with reason with collaboration with the private sector, with the government rather is a criminal ransomware enterprise. And you're just trying to get, use a private entity to get attribution to identify the source and the infrastructure that may be enough because no one is disrupting anything or taking anything down. And then there's like a separate, a layer of approval through the government process. You could, you could imagine a scenario where we sort of dip our toe in the water and we're using private entities to just be the investigators, right? Who are these entities? Where are they? What infrastructure are they using? And are they criminals? Is it innocent infrastructure? Like, you might be able to see that, but this is one of the thornier issues.

Brandon Wales

And al, let me just one more point on this because there are a variety of ways in which you can deal with third party infrastructure. It may not always be a hack back. And the more sophisticated companies who may have operations and locations in Western European countries, for example, may just choose that for infrastructure that's targeting them, that's located there. They're going to make referrals to the law enforcement or cybersecurity authorities of those countries and they're going to reserve their hack back for locations elsewhere, again where there's less legal liability. So even if the authority was granted, they may not want to use it in all contexts for exactly this purpose because they want to try to avoid some of the downside risks. And because of their size and scale, they have the ability to get to the right people and have law enforcement authorities take action or make a notification to that unwitting third party whose infrastructure has been hijacked by, by a ransomware crew or by the Chinese.

Alan Rosenstein

So I want to end by asking you both to kind of reflect on what it means that we're even having a conversation seriously about enabling private sector participation in what ordinarily we think of as a classic state activity which is projecting force abroad. Do you view this as an indication that fundamentally our cybersecurity has failed and that the government in particular has failed in its obligations, so that now we have to spend all this time talking about letters of marque and the role of insurance and all that sort of stuff? Or alternatively, is this just inevitable, right, that this is not the sort of threat that under any plausible set of conditions the government could handle by itself, and that you'll always need some degree and potentially extensive degree of private sector involvement. So let's start with Brandon and then Cesan, you can have the last word.

Brandon Wales

Yeah, I mean, you know, in some respects we've, we've come full circle as a country. I mean, the reason why there was letters of marque is because governments, you know, early governments weren't able to deal with piracy on the high seas, and today we're not able to deal with, you know, what is the current day pirates of ransomware crews and malicious nation state cyber actors. We are not meeting the moment the threats are more aggressive and at a scale where government action alone has proven insufficient. Now, again, there's lots of answers. I mean, the previous administration wanted to focus much more on regulatory authority to kind of drive down risks domestically. The current administration wants to ramp up offensive activity to provide more of deterrence and disruptive effect. But it's all designed around the idea that we are not able to match the level of threat we currently face. And that is why this is now being taken more seriously than it was five years ago when people were having some of the very similar conversations, but they were not in the places and of import that they are today?

Unnamed Speaker

Brandon, it won't surprise you captured my sentiment, but I would just say that the question of whether we failed, I think, is an important one. The reality is we, we continue to face a very, very serious national resilience problem, a digital resilience problem, and it's driven by a lot of different factors. I will say that getting more private sector participation in offensive operations isn't a silver bullet, and I actually haven't heard anyone seriously suggest that it is. Right. But you know, it's one tool. I will say my, my very strong view, especially with a sort of renewed perspective on this, is that if our national end goal is resilience, then there are probably much more effective policy changes that we should be prioritizing as a country. So, you know, again, we have digital vulnerabilities across our infrastructure. Those are exacerbated by the quality of technology that's brought to market. We put too much of the security burden on end users of technology, notwithstanding the fact that they're the least equipped to handle that right. Relative to the vendors. Most of our critical infrastructure is privately owned and those companies make their own decisions about security, investment and risk. But when things go wrong, it's the public that ends up paying the price. And sometimes the government has to step in. As we saw with Colonial Pipeline. The right policy response here is going to have to address all of those realities. And there are a lot of Lawfare papers that actually speak to these different things, you know, standards, software liability, etc. So far in this country, I wouldn't say the government has failed because just we can't agree. We have not had the political will for comprehensive reform in this government. Our approach has mostly been voluntary, with the exception of some narrow recording obligations. And that trend continues. Right. And as a consequence of that, whether it's failure or not, I don't know. But our nation has basically endured a never ending series of digital papers cuts, right? Each cyber incident is painful. Recovery takes longer than we like, but eventually we recover and we would move on. In my view, all it's going to take is one or two more serious disruptions for the public sentiment to shift and demand action. And at that point I suspect there will be political will to act. Offensive cyber operations may be part of that conversation, but that alone isn't going to be enough.

Alan Rosenstein

I think that's a good place to end it. Brandon and Cezanne, thanks for writing a really terrific paper and for coming on the show to talk about it.

Unnamed Speaker

Thanks for having us.

Brandon Wales

Thanks, Alan. Appreciate that.

Alan Rosenstein

The Lawfare podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfairmedia.org support. You'll also get get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the war in Ukraine. Check out our written work@lawfairmedia.org this podcast is edited by Jen Patya. Our theme song is from Alibi Music. As always, thanks for listening.

Brandon Wales

Foreign.

Howie Mandel

There's a part of me that everyone sees. I'm Howie Mandel, the comedian. Apparently I know what funny is. Funny bought me a house. But I also know what isn't funny. Ocd. I've lived with OCD my entire life and people throw the term around like it's no big deal. But OCD is severe, often debilitating. It's a mental health condition that involves unrelented, unwanted thoughts that can make you question your character, your beliefs, even your safety. General therapy can help with some things, but for ocd, it can actually make things worse. That's why I want to tell you about NO cd. NO CD is the world's largest treatment provider for OCD and is covered by insurance for over 155 million Americans. They're licensed there for therapists specialize in ERP, the most effective treatment for OCD. If you think you might be struggling with OCD, go to nocd.com to book a free 15 minute call. They are here to help.