Once again today, the US Department of Justice announced an indictment of individuals in other countries for allegedly criminal behavior. This is becoming a routine exercise. Bad guys conduct digital attacks. Government collect digital evidence of the attacks. Government obtains an indictment. And the story ends. There is no arrest, no prosecution, no trial, and no conviction.
See, the problem with this scenario is that there is no court in the Cloud where there can be a trial! The bad guys are not within the boundaries of the United States. They have not been arrested. There has been no trial in absentia—at least in this country, an accused has a right to confront their accusers and participate in the trial.
There is a slim possibility that a bad actor will be stupid enough to continue to use the identity under which he or she has been identified and get caught crossing an international border of a country willing to extradict the bad actor to the United States. But, seriously, if they are smart enough to attack and compromise the best computer systems of global manufacturers (such as Boeing), national banks, or (as reported in the most recent indictment) the operating control systems of a dam, would they really be that careless?
What About the Evidence?
There is one further problem. Imagine the bad guy is arrested, extradicted, fails on all of the arguments to avoid trial, and is put on trial, what will the evidence be that is used to convince the judge or jury of the digital crime? Inherently, the evidence will be entirely digital—IP addresses, trace routes, bot networks, encryption keys, and electronically preserved communications.
There is no direct witness to the crime that can provide any oral testimony to what was observed. The only possible witnesses will be investigators that identified and collected, parsed, and organized the data into a completed picture of the bad actor’s conduct. The New York Times story today highlighted that the evidence that identified the hackers came from intelligence agencies—the mere prospect of presenting the “chain of custody” to prove the integrity of that data as evidence could thwart any serious effort at trial.
The Essential Challenge
Globally, there is nothing like the International Criminal Court prepared to hear these types of cases. It is also unlikely, amidst all of the competing demands for resources to feed, house, and defend humankind, that establishing that type of instrument for justice is realistic to anticipate. So what is a global society to do? Today’s indictment emphasizes that this case is particularly important because the bad actors did not just target banks; they targetted a dam—critical physical infrastructure that protects the lives of an entire region.
Ultimately, the battle for justice will not rely on the orderly mechanisms of trials, attorneys, and rules of evidence. No, reactions—and punishments—must be faster, agile, and decisive. The NYT confirms this in their story, citing an expert at Columbia University indicating the NSA already has operators running “Tailored Access Operations” responsible for breaking into foreign computer systems.
The Questions We Should Be Asking
But what standard of care will they require to sanction punishments? How will they calculate the reliability of evidence? What will be sufficient proof to strike? Will they use the same standards used in launching drone attacks? More or less? Will humankind, as a society, care enough to demand a rule of law for how judgment of guilt and the severity of punishment will be measured? How will we feel if an electronic counterattack by another nation’s NSA shuts down a hospital system while surgery is in progress, sentencing the patient to immediate death? What evidence will we trust as evidence of the truth with which to launch judgment and punishment?
These are the questions we must be asking to find our way toward building a rule of law for the Cloud and pursuing effective justice that does not destroy our humanity.