The Morgan Doctrine: NASDAQ penetrated. Feds clueless? Dear John:

Saturday, February 5, 2011

NASDAQ penetrated. Feds clueless? Dear John:

Dear John:

(That's John Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee),

Last night's online WSJ carried a story, "Hackers Penetrate Nasdaq Computers." I've got to hand it to Devlin Barrett, the story's author. He absolutely nailed the salient issue in his first sentence:

Hackers have repeatedly penetrated the computer network of the company that runs the Nasdaq Stock Market during the past year, and federal investigators are trying to identify the perpetrators and their purpose, according to people familiar with the matter.

Good stinking grief, John! Repeatedly penetrated? During the past year? And the real knee slapper: "…federal investigators are trying to identify the perpetrators and their purpose…" In the immortal lyrics of Aerosmith, "Kiss off the devil and [honk] off a saint!" In my Monday post from National Defense Magazine, I contended that the Navy's being short of tools to detect and nab cyber-intruders built my case for authorizing legally bonded cyber privateers. But that story absolutely pales next to the NASDAQ story. The feds have been trying to figure this out for the past year? Last night in my comment on the WSJ site, I suggested:

If I were head of NASDAQ security, I'd put a bounty on the culprits. And law enforcement should give the cyber privateer "bounty hunters" a get-out-of-jail-free card.

One reader, Frank Blank, replied, "That's actually a good idea." And William Clark asked, "Curious about how that would work. Would the NASDAQ release log data to a group of qualified bounty hunters and then let them go to work?" I answered his question with a link to my Cyber Privateer Code and then said:

They would get the logs and then be released for the job by a "bonding authority" and authorized by a Letter of Marque & Reprisal authorized br Article 1 Section 8 of the US Constitution. Gotta' be done right & legally.

I then shared with him my blog on the legal precedents for cyber privateering.

NET-NET: WE DON'T NEED BIGGER BUDGETS FOR MORE FEDERAL SLEUTHS; WE NEED TO SIC THE DOGS OF HELL ON CYBER CRIMINALS! A few reader comments on the article correctly "grokked" that our government will use this as a rallying cry for more tax dollars to throw at the problem. At the risk of harping on the obvious, the feds can't begin to address the problem. Never could. Never will. I think I built my case in yesterday's posting. You know my solution. With all its warts, risks and flaws, I've not heard a better approach than licensed and bonded cyber privateers. Not only will it not cost the government a cent, but my cyber privateering concept could generate billions in confiscated funds for the US Treasury.

There seems to be some real resistance to going after the bad guys' bank accounts (see my October 25th post). The profoundly misguided logic is that we shouldn't do that because this is OUR greatest vulnerability. Alas, that train has already left the station. Furthermore, NASDAQ needs to quickly get in front of this and forcefully reestablish confidence in our financial institutions. For a short time, I served on the board of directors of a public company as chairman of their audit committee. To John D. Markese, chairman of the NASDAQ OMX Group, Inc. board of directors audit committee (and who is also on the executive committee and the governance committee of the board), I suggest you better get cracking. Because no Directors and Officers (D&O) insurance policy can possibly cover you for the potential class action liabilities from the from irate investors in our public markets. And you absolutely know your board is going to be under tremendous pressure to underestimate your liability exposure. Sir, your liability is…well…astronomical. I'd be surprised if your auditors don't run for cover on this one. Specifically, I suggest:

NASDAQ must be totally forthright about the extent of the penetration. NOT to do so could be a criminal offense. Today's follow-up WSJ story talked about unidentified "malware" files. If you know it's malware, then you'd better disclose exactly what the malware did, with whom it communicated, and its complete activity history from time of installation.
NASDAQ should immediately announce a $20 million bounty on the head(s) of the attackers, payable to pre-approved cyber privateers.
If a rogue government (such as China) is found to be responsible, the it will be the job of the cyber privateers to loot the assets of that rogue government wherever they may be found, and then
The cyber privateers should take that rogue government and its citizens off the Web until POTUS decides they have learned their lesson and gets an appropriate treaty ratified by the Senate.
NASDAQ will indemnify the cyber privateer(s) against all civil and criminal consequences, and if the US Attorney General balks at the legality, then he should be replaced by someone who will go to Congress and get the necessary legal waivers.

Does this sound draconian? Mr. Markese, it's your skin at stake here. Our financial institutions are indeed our greatest vulnerability. Unless you consider this "nuclear option" seriously, the end of the financial world could beat that Mayan 2012 doomsday calendar by a good year.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?

Background: Welcome black hats, white hats and cyber swashbucklers

The Revolutionary War was fought, financed, and pretty well WON by bonded privateers, legalized pirates who were given Letters of Marque and Reprisal by the Continental Congress and authorized to attack, capture and monetize British ships. The purpose of this site is to explore the possibility of a modern-day doctrine much like the Monroe Doctrine, by means of which the U.S. government could legally and, more importantly, effectively stop international hackers. Current cybercrime law is not only ineffective, but downright stupid. My Linux servers are attacked hundreds of times a day (mostly from China and former USSR domains), yet if I retaliate against those servers with some creative technology at my disposal (I know some VERY smart guys), then I am in violation of federal law and subject to some onerous penalties. We need more than a new law. We need a new international doctrine. I call it The Morgan Doctrine, named after Morgan Rapier, a fictional character I've created (hey, this is my way of establishing ownership of the concept, should it ever see the light of day).

Why a new international doctrine? Simply, nothing else will work. Introduced on December 2, 1823, the Monroe Doctrine told the world to keep their hands off the Americas. Combine this with current legal thinking on "hot pursuit" of fugitives. In 1917 the US Army went into Mexico after Pancho Villa. More recently, in 1960 Israeli Mossad agents abducted Adolf Eichmann from Argentina. Granted, much of the world regards the Eichmann adventure as a violation of international law. I don't share that opinion and therefore use it as the third leg of my Monroe-Pancho-Aldof platform for The Morgan Doctrine.

If someone comes into your home and attacks or attempts to rob you, you may shoot them dead. You may do so as long as they expire on your property. But what about cyber criminals? They attack you in your home from their homes. Retaliate in kind, and you go to jail. The Morgan Doctrine states simply that if you attack my computers (or my banking assets held in US-based computers), then under a certain set of well-defined conditions, a licensed and bonded "cyber privateer" may attack you in your home country and split the proceeds with the U.S. government. For the sake of argument, let's call it a 50-50 split (heh heh).

Right now, American law enforcement is completely unequipped to deal with the sheer number international cyber hackers. Sure, I could report each of the thousand daily attacks to the FBI, as could the millions of other attackees in the USA. But the volume of such reports would make any meaningful resolution laughable. Not to mention that the FBI has no jurisdiction outside the USA. Yet to make such "enforcement" profitable to recognized (ie, "bonded" "deputized") privateers, as Heath Ledger's Joker said in his last role, "Now you're talking!" You raid our bank accounts, we raid yours. You make money from off-shore child pornography, we're going to loot your bank accounts and, with some REALLY creative black hat operations, you will be taken off the grid worldwide to the extent that you'll not even complete a cell phone conversation for the remainder of your miserable depraved life. Okay, that last part probably won't fly, but you get my drift.

The purpose of this site is to explore the mechanics, legalities and practicality of The Morgan Doctrine.

And I will be the sole arbiter of whether or not your comments get posted. As Mel Brooks wrote, "It's good to be king."