Rules of engagement is a concept familiar to most military personnels worldwide. The basic premise of having rules of engagement is to ensure an appropriate level of response or reaction to a particular threat. It is sometimes also known as escalation of force. Rules of engagement for physical threats are usually quite straight forward, we often start with a verbal warning, followed by display of force such as drawing a weapon. If the target persists, we usually further indicate our intention by firing warning shots or tracking the target with a laser beam and as a last resort, we take down the target. However, these rules cannot be easily translated to cyberspace.
The nature of cyberspace is such that it is often impossible to discern the actual source of the attack. In physical warfare, muzzle flashes will give up the location of the attacker. However, in cyberspace, the IP address of the attacker may not necessarily be the IP where the attack is coming from. The attacker might use a compromised machine to launch his attack against an adversary. Often times, the actual user whose machine has been compromised might not even be aware that his machine is being used to launch a cyberattack.
However, a recent article claims that companies should be given the right to fight back against cyber criminals. It is critical to lay down the rules of engagement before we even consider giving companies that right. We need to properly define what constitutes a cyberattack. Is a port scan considered an attack. The physical manifestation of a port scan would probably be trying to open all the lockers at a public facility hoping that someone has forgotten to lock the locker after placing his belongings in it. Such an action while not illegal, is considered suspicious behavior and would attract the attention of passers-by. In the cyber realm however, there are no clear guidelines if such surveillance can be construed as malicious or simply an intent to commit further malicious actions. Are we then allowed to retaliate solely based on intent?
That aside, we would also have to consider the notion of determining an appropriate level of reaction. If a kid threw a pebble at your window, it would not be appropriate to pull out your shotgun and start firing at him. The kid's father might come back with a weapon and start an all out war. I am not involving law enforcement in this scenario because the internet is often described as the wild west where it is difficult or even downright impossible to track down and prosecute someone from a different country. A similar situation might occur in cyberspace where a competitor might be accused of launching a cyberattack against a particular company which develops into a full blown cyber war when both sides retaliate with force.
Lastly, it is important to ensure that the entire process is documented and all related evidence is preserved. The point of giving companies the power in the first place is because the current process is too slow and most of the damage is done by the time enforcement action is taken. Hence, companies who choose to invoke cyber justice should also be subjected to the same requirements that law enforcement is currently subjected to and they should also be held accountable for their actions should they misjudge the threat or fail to prove that their response is appropriate given the scale of the attack.
In summary, before we even begin to consider giving companies the right to fight back against cyber criminals, we must first define the scenarios where the company is allowed to invoke such powers. All evidence must also be documented so as to prevent false claims and companies should be held accountable for their actions. We could perhaps take a leaf from the current military doctrines on rules of engagement and adapt it for use in cyberspace.