Thursday, November 18, 2010

Cyber privateer rules of engagement: Part 1

In draft 01 of my Cyber Pivateer Code (November 13th), I laid out five rules of conduct. In the very next post (November 15th), security author Paco Hope raised four issues: (1) identifying the (real) perpetrator; (2) determining guilt; (3) applying a fair law; (4) meting out punishment to the guilty. A hypothetical example was quoted that demonstrates the complexity of point number one: identifying the (real) perpetrator.

Mr. Hope writes: "What if little Johnny, age 16, uses mom's computer to try his hand at cybercrime? Let's say he's successful at installing a keylogger on some bloke's computer and he gets some userids and passwords. He gets the guy's PayPal password and makes a couple unauthorized purchases of XBox games or signs up for a couple porn sites. He's clumsy, he's obvious, and unfortunately his victim is protected by a privateer. Tracing back the attack, we get to mom's computer. It's pretty obvious who that computer belongs to and any privateer worth his salt can trivially loot mom's bank accounts and so on."

It's pretty clear from draft 01 of my Cyber Privateer Code, point number 4, that wreaking havoc on an innocent victim means the victim should be compensated 100X. That's one-hundred-times the amount confiscated from an innocent person's bank account. Therefore, rather than proposing anything close to a fool-proof forensic framework for separating the innocent from the guilty, my Cyber Privateer Code simply says that the privateer had better have rock solid proof. Otherwise, Paco's hypothetical "inept French privateer" is quickly out of business. A few $10,000 mistakes translate into a few million dollars in restitution. Bad business model for Frenchie, eh?

Just as in Isaac Asimov's rules of robotics, where paradoxes will arise, my Cyber Privateer Code demands (but does not define) the enforcement mechanism. It just says that an inept privateer can watch his/her/its business evaporate along with the Letter of Marque and Reprisal. One "nod" toward reality might be that whatever bonding authority chooses to insure a cyber privateering organization would demand a certain standard of proof in order to issue an indemnification policy. Further, since that indemnification would have to be one-hundred times the maximum amount allowable for confiscation (heck, bail bondsmen only charge 10% of the total bond), a large cyber privateering organization would almost require government-level resources to post their bond. If you mistakenly grab $1 billion from the accounts of a rogue government and fail to return it within 10 days of parley (again rule 4), somebody is going to have to pony up $100 billion. Which may be a deal breaker.

Remember how I said my first shot at the Cyber Privateer Code was "draft 01?" I'm considering my first edit. Maybe the restitution amount should be 10X and not 100X. Or maybe even 2X? 


No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?