“Self-Help in Cyberspace:Offense, Defense, and Both at

the Same Time”Professor Peter P. Swire

Ohio State University

Consultant, Morrison & Foerster LLP

Critical Infrastructure Conference

George Mason University Law School

May 9, 2003

Overview

Defining “self-help” Offense, defense, and both UCITA self-help Berman bill Conclusions

I. Defining “Self-Help”

Broad definition:– Any action to prevent or resolve a dispute

without official assistance of government official or neutral 3d party

Narrow definition:– Repo actions to get back property when a

debtor has not performed under a contract Today: start broad, then look at narrow

II. Offense and Defense in Self-Help Offense in cyber-security: an attack on their

system– Send virus– High port attack– And so on

This is typically a crime (Computer Fraud and Abuse Act) and/or intentional tort (trespass to chattels)

When is Offense Justified?

Privileges from traditional criminal and tort law– Defense of property: allowed to use proportional

force to repel the attack– If someone is attacking your physical property,

usually cannot counter-attack– Usually not “self defense” because physical

person is not threatened by cyber-attack– In short, narrow privilege to use offense

When is Offense Justified?

What about offensive cyber-attacks in time of war?

Would generally be lawful where the war is lawful– But, “perfidy” and limits on the U.S. Army

pretending to be an authorized computer user– Limits on collateral damage -- perhaps unlawful

to attack zombie computer that fronts for the true adversary

Defense in Cyber-security

Presumptively lawful:– Firewalls– Anti-virus– And so on

This is “my” system and I lawfully can protect it with the equivalent of locked doors, internal security, and bright outside lighting

Both Offense and Defense

“Interactive” computer systems– My bits interact with your web page– My software mixes with your data– We lack the clear boundaries of real property

law Your cookies on my hard drive (are you attacking

me?) My surfing may exceed your stated terms of use (am

I attacking you?)

Both Offense and Defense

Suppose your software is on my system I want to de-bug or reverse engineer the

software (circumvent the protective coating around your software)

Defense because it concerns (potentially malicious) activities inside my system?

Offense because I am circumventing the protections of your software?

Both Offense and Defense

Hence, the controversy in the anti-circumvention rules in Sec. 1201 of the DMCA

Compelling security principle that the defender can know what is inside the security perimeter

Compelling intellectual property argument that protection is needed to stop widespread piracy

How to Resolve Circumvention?

Sorry. Can’t do that today. Analysis here shows the systematic

challenges that Sec. 1201 will pose for those who want to have security within their system perimeter

Quite likely need more input from security community in ongoing debate

III. Between Offense and Defense -- UCITA The “narrow” or “traditional” type of self-

help A lender/seller “gets back” its own property

– Repo a car– Cut off the buyer’s access to software, where

the buyer no longer has a legal right to it

UCITA

This is partly “defense” by seller– The buyer has no right to the property

Basic common law questions:– Is there an offensive tort or crime?– Is the offense privileged?– Key candidate for that is “consent”, like

consent to battery (boxing), or to trespass (license to come onto property)

Is UCITA Self-Help Good?

UCITA described by Joel Wolfson For software that expires in 30 days, few

problems– No offense involved– Possible concerns about consent, so that the

hospital system does not suddenly shut off

UCITA

Entry into buyer’s system to shut off software? Significant “offense” The battle in UCITA was over meaning of

“consent”– No mass market licenses– No collateral damage– Consent must be specific to the self-help provision

In favor of UCITA Self-Help?

In favor:– The argument for contracts generally– Expands range of possible bargains, increasing

efficiency and choice

Worries about UCITA Self-Help

Concern of a security externality Contrast a system with many “back doors” or

“Trojan horses” under UCITA to one where this self-help is prohibited

Technical question how much these holes in defense will undermine overall security of networked systems

Benefits of contracts vs. security externality

IV. Between Offense and Defense: Berman Bill Joel Wolfson has described it Basic idea: where have wrongful conduct

(copyright infringement) the owner can destroy the infringing material

Physical world: car owner could destroy the car held by borrower who didn’t pay or by a thief

Berman Bill

Common law– Some authority for strong self-help if the thief

holds your car -- break into the yard, etc.– No privilege of consent, however, as in UCITA

“Offensive”– Launch computer attack– A stranger’s computer

Berman Bill More Worrisome than UCITA Self-Help Security externality of Berman

– “Breach of the peace” worries where authorize attacks on strangers

– Current draft allows a lot of collateral damage– Unclear effects on infringers vs.system owners (what if

a University server is destroyed?) Legal line drawing problems

– Similar authority to delete hate speech, defamation, obscene material, anti-government political speech, etc.?

Conclusions

Framework of common law and privileges such as defense of property and consent

Framework of offense (usually bad), defense (usually good) and both (usually hard)

Need more legal research into physical world analogies

Ultimately, benefits from self-help vs. costs to building insecure systems

Contact Information

Professor Peter Swire phone: 240-994-4142 email: peter@peterswire.net web: www.peterswire.net