Should we reconsider the notion that companies under attack are prohibited from investigating the attackers and trying to locate them? We allow private investigators to conduct some activities that usually only the police are allowed to do; should we accredit private cyber investigators?
I’m not really sure what my response is to the first question. I didn’t realize companies are prohibited from investigating the source of an attack and identity of the attackers.
Obviously, conducting such an investigation would be illegal if the company employees broke the law while they conducted the investigation; so if, say, computer investigators working for Company X hacked into computer systems in an effort to find out who had been hacking their system, that would be a crime under U.S. state and federal law and under the law in many other countries, as well. They’d be accessing those computers without being authorized to do so, and unauthorized access is, as I just noted, a crime in many countries. Aside from that, I’m not aware there’s any free-standing prohibition on a company investigating a cyber attack (or a real world attack, for that matter).
That question doesn’t really interest me, I’m afraid. The one I found more interesting is the second question: whether we should accredit private cyber investigators.
It looks like we already do, at least in some states. Michigan’s Professional Investigator Licensure Act, for example, defines a “professional investigator” as someone “who for a fee, reward, or other consideration engages in the investigation business.” Michigan Compiled Laws § 338.822(h). The Act defines “investigation business” as a business
that, for a fee, reward, or other consideration, . . . accepts employment to furnish. . . or makes an investigation for the purpose of obtaining information with reference to any of the following:
(i) Crimes or wrongs done or threatened against the United States or a state or territory of the United States, or any other person or legal entity. . .
(v) Securing evidence to be used before a court, board, officer, or investigating committee.
(vi) The prevention, detection, and removal of surreptitiously installed devices designed for eavesdropping or observation, or both.
(vii) The electronic tracking of the location of an individual or motor vehicle for purposes of detection or investigation.
(viii) Computer forensics to be used as evidence before a court, board, officer, or investigating committee.
Michigan Compiled Laws § 338.822(e). The Professional Investigator Licensure Act defines “computer forensics” as “the collection, . . . analysis, and scientific examination of data held on, or retrieved from, computers, computer networks, computer storage media, electronic devices, electronic storage media, or electronic networks, or any combination thereof.” Michigan Compiled Laws § 338.822(e). Since you have to get a license to engage in the investigation business, it looks like Michigan already accredits private cyber investigators . . . at least in a literal sense. And if Michigan does, I suspect other states do, as well.
What I found interesting about the second question, though, was what it might imply. My first question was what, precisely, would we want these private cyber investigators to do that isn’t already being done?
My sense is that companies are, as I noted earlier, already having employees with the necessary skills investigate cyberattacks launched against the companies. If that is true, and we’ll assume it is true for the purposes of this analysis, what would we achieve by accrediting a company employees as private cyber investigators or, alternatively, letting companies hire independent private cyber investigators to analyze cyberattacks? The question, I think, necessarily implies that we would achieve something we don’t already have, but what?
One possibility is that when the question says “accredit” it really means “deputize.” Why might that be a logical possibility? The answer, I think, lies in figuring out what we’d be trying to accomplish by giving private cyber investigators some special status. The only way the question makes sense is if we’re trying to (i) let the private investigators do things they can’t already do and/or (ii) get them to do things they’re not currently doing.
What would we be trying to let them do that they can’t already do? As I noted above, private cyber investigators can’t break the law as they conduct their investigations, so maybe this is what the “can’t” alternative is going toward. I don’t really think that is what the question is going toward. I certainly hope that isn’t what it’s assuming because that would mean we’d be authorizing vigilante action; and as I noted in an earlier post, while vigilante action can be superficially appealing when we’re dealing with activity that tends to elude the efforts of law enforcement, it’s always, IMHO, a very, very bad idea to go down the vigilante path.
The “can’t” alternative might be trying to address the breaking the law/vigilante scenario by letting us deputize the private citizens who investigate cyberattacks on behalf of the companies that employ them. I briefly checked some state statutes and confirmed that law enforcement officers in at least some states can still deputize private citizens so they can help regular officers deal with crimes, etc. Deputies apparently didn’t die with Old West posses. So maybe the notion of accrediting private cyber investigators is meant to overcome the “can’t” problem by letting them do things law enforcement officers can do, which brings us back to the “what?” issue.
What would deputizing private investigators let them do that they can’t do now but law enforcement officers can do? One thing might be to let them apply for search warrants that authorized them to go into other systems to collect evidence; that could address the civilians-can’t-violate-the-law issue. If we deputizing them did this, then the deputized private cyber investigators would presumably also be able to rely on exceptions to the 4th Amendment’s warrant requirement, and use consent or exigent circumstances to go into a system without first getting a search warrant authorizing the intrusion.
At this point, I don’t know if that’s doable under our law or not. I’ve been traveling so I haven’t had time to research the issue in detail. I’m going to assume it is doable, if only because it seems a logical implication of the power to deputize citizens to assist law enforcement officers in the conduct of their duties. I don’t like it, though, because it could get out of hand; I did a post a couple of years ago on the American Protective League, a World War I initiative that essentially deputized civilians to help federal agents find German spies and saboteurs and that got way out of hand. I fear something similar could happen with the scenario I’m postulating here.
That brings us back to the other alternative: trying to get private cyber investigators to do something they’re not already doing. I suspect this may be the real rationale for the question about accrediting private cyber investigators. One of the problems we have in dealing with cybercrime (and related cyberattacks) is that companies are not inclined to report attacks; since they’re not inclined to report attacks, the data a victimized company compiles about the attack almost certainly won’t make its way to law enforcement.
So maybe the question about accrediting private cyber investigators is only going to the issue of trying to get those who investigate cyberattacks against private entities to share the evidence they collect with law enforcement officers. I think that’s a real possibility. My problem with this alternative is that I don’t really see how accrediting investigators could get them to report their findings to law enforcement. I suppose it would give them more of a professional reputation, more gravitas, and maybe the theory is that this enhanced professionalism would encourage them to share their findings with law enforcement. I don’t see how and why that would work, though; it’s my impression that the failure to report is attributable to the companies’ concerns about negative publicity, not any lack of professionalism on the part of the employees who deal with cyberattacks.
Now, if the question is using “accredit” to mean “deputize,” that might change the analysis. If private cyber investigators were deputized, I assume it would mean they were under a legal obligation to share evidence they’d collected with law enforcement. And maybe that’s what the question is really going to – maybe it’s postulating a kind of nationalization strategy for the employees of private companies who are charged with investigating cyberattacks. If they became deputies of whatever governmental system (I don’t think the federal system does deputies, so they could be state deputies), then they would presumably be obligated to share what they had with the official representatives of that system.