|
This post was prompted by questions I was asked to address when I participated in a panel discussion of cybersecurity. Here are the relevant questions:
Should we reconsider the notion that companies under attack are prohibited from investigating the attackers and trying to locate them? We allow private investigators to conduct some activities that usually only the police are allowed to do; should we accredit private cyber investigators?
I’m not really sure what my response is to the first question. I didn’t realize companies are prohibited from investigating the source of an attack and identity of the attackers.
Obviously, conducting such an investigation would be illegal if the company employees broke the law while they conducted the investigation; so if, say, computer investigators working for Company X hacked into computer systems in an effort to find out who had been hacking their system, that would be a crime under U.S. state and federal law and under the law in many other countries, as well. They’d be accessing those computers without being authorized to do so, and unauthorized access is, as I just noted, a crime in many countries. Aside from that, I’m not aware there’s any free-standing prohibition on a company investigating a cyber attack (or a real world attack, for that matter).
That question doesn’t really interest me, I’m afraid. The one I found more interesting is the second question: whether we should accredit private cyber investigators.
It looks like we already do, at least in some states. Michigan’s Professional Investigator Licensure Act, for example, defines a “professional investigator” as someone “who for a fee, reward, or other consideration engages in the investigation business.” Michigan Compiled Laws § 338.822(h). The Act defines “investigation business” as a business
that, for a fee, reward, or other consideration, . . . accepts employment to furnish . . . or makes an investigation for the purpose of obtaining information with reference to any of the following:
(i) Crimes or wrongs done or threatened against the United States or a state or territory of the United States, or any other person or legal entity. . .
(v) Securing evidence to be used before a court, board, officer, or investigating committee.
(vi) The prevention, detection, and removal of surreptitiously installed devices designed for eavesdropping or observation, or both.
(vii) The electronic tracking of the location of an individual or motor vehicle for purposes of detection or investigation.
(viii) Computer forensics to be used as evidence before a court, board, officer, or investigating committee.
Michigan Compiled Laws § 338.822(e). The Professional Investigator Licensure Act defines “computer forensics” as “the collection, . . . analysis, and scientific examination of data held on, or retrieved from, computers, computer networks, computer storage media, electronic devices, electronic storage media, or electronic networks, or any combination thereof.” Michigan Compiled Laws § 338.822(e). Since you have to get a license to engage in the investigation business, it looks like Michigan already accredits private cyber investigators . . . at least in a literal sense. And if Michigan does, I suspect other states do, as well.
What I found interesting about the second question, though, was what it might imply. My first question was what, precisely, would we want these private cyber investigators to do that isn’t already being done?
My sense is that companies are, as I noted earlier, already having employees with the necessary skills investigate cyberattacks launched against the companies. If that is true, and we’ll assume it is true for the purposes of this analysis, what would we achieve by accrediting a company employees as private cyber investigators or, alternatively, letting companies hire independent private cyber investigators to analyze cyberattacks? The question, I think, necessarily implies that we would achieve something we don’t already have, but what?
One possibility is that when the question says “accredit” it really means “deputize.” Why might that be a logical possibility? The answer, I think, lies in figuring out what we’d be trying to accomplish by giving private cyber investigators some special status. The only way the question makes sense is if we’re trying to (i) let the private investigators do things they can’t already do and/or (ii) get them to do things they’re not currently doing.
What would we be trying to let them do that they can’t already do? As I noted above, private cyber investigators can’t break the law as they conduct their investigations, so maybe this is what the “can’t” alternative is going toward. I don’t really think that is what the question is going toward. I certainly hope that isn’t what it’s assuming because that would mean we’d be authorizing vigilante action; and as I noted in an earlier post, while vigilante action can be superficially appealing when we’re dealing with activity that tends to elude the efforts of law enforcement, it’s always, IMHO, a very, very bad idea to go down the vigilante path.
The “can’t” alternative might be trying to address the breaking the law/vigilante scenario by letting us deputize the private citizens who investigate cyberattacks on behalf of the companies that employ them. I briefly checked some state statutes and confirmed that law enforcement officers in at least some states can still deputize private citizens so they can help regular officers deal with crimes, etc. Deputies apparently didn’t die with Old West posses. So maybe the notion of accrediting private cyber investigators is meant to overcome the “can’t” problem by letting them do things law enforcement officers can do, which brings us back to the “what?” issue.
What would deputizing private investigators let them do that they can’t do now but law enforcement officers can do? One thing might be to let them apply for search warrants that authorized them to go into other systems to collect evidence; that could address the civilians-can’t-violate-the-law issue. If we deputizing them did this, then the deputized private cyber investigators would presumably also be able to rely on exceptions to the 4th Amendment’s warrant requirement, and use consent or exigent circumstances to go into a system without first getting a search warrant authorizing the intrusion.
At this point, I don’t know if that’s doable under our law or not. I’ve been traveling so I haven’t had time to research the issue in detail. I’m going to assume it is doable, if only because it seems a logical implication of the power to deputize citizens to assist law enforcement officers in the conduct of their duties. I don’t like it, though, because it could get out of hand; I did a post a couple of years ago on the American Protective League, a World War I initiative that essentially deputized civilians to help federal agents find German spies and saboteurs and that got way out of hand. I fear something similar could happen with the scenario I’m postulating here.
That brings us back to the other alternative: trying to get private cyber investigators to do something they’re not already doing. I suspect this may be the real rationale for the question about accrediting private cyber investigators. One of the problems we have in dealing with cybercrime (and related cyberattacks) is that companies are not inclined to report attacks; since they’re not inclined to report attacks, the data a victimized company compiles about the attack almost certainly won’t make its way to law enforcement.
So maybe the question about accrediting private cyber investigators is only going to the issue of trying to get those who investigate cyberattacks against private entities to share the evidence they collect with law enforcement officers. I think that’s a real possibility. My problem with this alternative is that I don’t really see how accrediting investigators could get them to report their findings to law enforcement. I suppose it would give them more of a professional reputation, more gravitas, and maybe the theory is that this enhanced professionalism would encourage them to share their findings with law enforcement. I don’t see how and why that would work, though; it’s my impression that the failure to report is attributable to the companies’ concerns about negative publicity, not any lack of professionalism on the part of the employees who deal with cyberattacks.
Now, if the question is using “accredit” to mean “deputize,” that might change the analysis. If private cyber investigators were deputized, I assume it would mean they were under a legal obligation to share evidence they’d collected with law enforcement. And maybe that’s what the question is really going to—maybe it’s postulating a kind of nationalization strategy for the employees of private companies who are charged with investigating cyberattacks. If they became deputies of whatever governmental system (I don’t think the federal system does deputies, so they could be state deputies), then they would presumably be obligated to share what they had with the official representatives of that system.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
There’s nothing that prevents a private citizen, let alone a private detective, from investigating the causes of a breakin. There’s a lot of law - and very good law - that prevents him from actually breaking into other premises to try and gather evidence
Some vendors might not quite have caught on to that idea .. a recent case being BKIS, a vietnamese vendor who broke into some UK servers that they suspected were the command and control centers in the recent korean ddos attacks, and released email from the korean cert and the asiapac cert association (APCERT) to the media as justification. The latest episode in this act seems to be that they’re trying to defensively sue the vietnamese cert for maligning their reputation…
Susan -
The question likely relates to the requirement for computer investigation professionals to be licensed in certain states in order for their collected evidence to be considered acceptable. A brief summary of the situation can be found here.
It’s problematic situation, since you don’t often know the jurisdiction of a situation before starting the cyber forensics, and yet investigation by untrained or unqualified personnel obviously places the court in a untenable situation to use such evidence.
/John
I guess context is everything.
If one is evaluating logs, configurations and the state of various hosts is one performing incident response or is one performing a forensic investigation with a court and legal procedings in mind?
When an incident occurs one just doesn’t know at the onset.
With respect to Johns comment regarding untrained or unqualified personnel, this cuts both ways. I know LEOs that are eminently qualified and I know others that shouldn’t be allowed to touch a keyboard. There are plenty of CISSPs running around that couldn’t investigate their way out of a paper bag.
The answer with respect to courts and the supposedly untenable situation is simple. The court looks at the procedures, processes and documentation of handling to see if it meets a particular legal standard. It gets even messier as we look at criminal vs civil considerations. From my perspective I prefer to make sure that the data collection and evaluation generally falls under the business records exception (IANAL).
To make things even messier, consider Susans earlier post about weaponizing the web. If everything is crashing down around your head will you be worrying about laws regarding private investigations or will you be more concerned about stopping the damage? Just a thought.
Mike
The most likely interpretation of the questions asked would be those cases whereby they’re prohibiting from investigating and having the results be admissible evidence. Obviously, an organization can investigate and mitigate an attack against their own servers, but the point asked of Susan’s panel is most likely whether it’s fair that by doing so with unlicensed investigators, some states will preclude consideration of any evidence collected.
My understanding is that the moment you realize that it’s a crime scene, then it’s thereafter investigation. To then collect evidence without a forensic approach (i.e. snapshot the disk to make images via a proven tool, establish chain of custody for the images, work only on copies of the images, etc.) is either optimistic, or outright precluded by law, depending on the particular state and potentially your possession of an investigators license. This is a relatively new and ill understood situation in the industry, so not too surprising for it to come up at a cybersecurity panel.
/John