Steven Chabinsky (Crowdstrike, ex-FBI Cyber Division) talks private sector cyberdeterrence at ABA’s NatSec Law conference

I also had the opportunity to attend the ABA Standing Committee on Law and National Security’s 22nd Annual Review of the Field of National Security Law in Washington, D.C.  The conference is just wrapping up today, and was a great event.

Yesterday (11/30) the ABA invited Steven R. Chabinsky–the Senior VP, Legal Affairs & Chief Risk Officer of Crowdstrike, Inc. and prior Deputy Assistant Director of the FBI’s Cyber Division–to give a keynote lunchtime address titled “How Today’s Cybersecurity Problems are Reshaping National Security Law.”  It was, in short, a fantastic talk.  I’d like to discuss a bit of what he said.

Mr. Chabinsky started with the proposition that there is no such thing as cyberlaw.  In fact, he argued that in their day to day national security capacity, each member of the ABA’s conference was practicing cyberlaw.  The point was that whatever we consider cyberlaw to be, it is still far from established.

Moving on from that point, Mr. Chabinsky argued that the cybersecurity problem was, in reality, a technology problem.  He noted cyber vulnerabilities in cars and biomedical devices, saying “our nation’s citizens are vulnerable” and “targeting doesn’t have to mean Stuxnet.”  One line I loved: “you believe the display you’re watching is accurate,” but in reality, cyber specialists have the ability to manipulate displays to tell you everything is okay when it’s clearly not.  Furthermore, the U.S. has to realize its use of cyberweapons (like Stuxnet) will work both ways: we’re setting normative behaviors when we use such weapons, and unlike a bomb, a cyberweapon “doesn’t go away when you launch it.”  People are going to discuss, dissect, and possibly redesign it.

Then Mr. Chabinsky got to the topic I had waited for with baited breath: the role of private companies in cybersecurity.  He said that private companies are having discussions about taking action on their own in cyberspace because they don’t believe the government can handle it.  Furthermore, things aren’t getting better.  Congress is not passing effective legislation, but rather, arguing amongst themselves.  In the interim, the private sector suffers from cyberespionage.  “Everyone knows you can’t win on defense,” we can’t keep relying on the mindset of gates and guards, and we need to go after the bad guy.  “It will be a national security and law enforcement prerogative to involve the private sector in threat deterrence.”  This becomes especially relevant because, according to Mr. Chabinsky, we’re seeing increasing crossover between nation-states, terrorists, and criminal groups.

The talk then transitioned to the question and answer phase.

I forgot the question, but I love his response regarding the infection of SIPRnet by those flash drives: we keep talking about wake up calls, but “the snooze button has been hit 20 times.”

Regarding attribution, Mr. Chabinsky didn’t think it was as huge a problem as people make it out to be.  Direct attribution to a single person is still tough, but there is a greater chance of attributing conduct to a nation-state.

There was, at some point, a question about the legality of hackback.  Mr. Chabinsky noted there is a bit of unease about the idea of the private sector taking punitive measures.  However, he drew a distinction between punitive measures and the private sector taking stabilizing actions until they can handoff to the situation to law enforcement or the intelligence agencies.  I really loved this idea.  It’s not so much beating the guy who stole your wallet, but pinning him to the ground until the cops come.  Mr. Chabinsky drew in 4th amendment/exigent circumstance parallels, arguing that notions common in other areas of the law could be relevant here.  Indeed, it’s a shame that the U.S. “has the most capable, innovative private sector that is not involved in threat deterrence.”  My commentary: I really, really like this idea.  A lot of people are uneasy about hackback because it seems like some form of vigilantism or reprisal.  If we frame it as not a method of reprisal, but rather, as something a company can use before the government gets on the scene, it’s easier to swallow.

Paul Rosenzweig (of Lawfare fame) had a great question as to how we could square hackback with international law, especially in the context of some sort of government supported hackback regime.  Mr. Chabinsky suggested that we need to have international norms in this area and segregate out in advance when and where we can do certain things.

This is, of course, my incomplete paraphrase of Mr. Chabinsky’s talk at the ABA conference; I don’t mean to put words in his mouth, so take what I’ve written as you will.

In any event, it was a wonderful talk, and probably one of the most forceful and persuasive arguments I’ve heard regarding the private sector’s role in cyberspace.

Again, all credit to the ABA (and of course Mr. Chabinsky) on this one.

***

It’s been a while, but if you’re interested, @cyberlawblog for our Twitter account.

Share:

Tags: , , , ,

2 Responses to “Steven Chabinsky (Crowdstrike, ex-FBI Cyber Division) talks private sector cyberdeterrence at ABA’s NatSec Law conference”

  1. [...]  Steven Chabinsky–the firm’s Senior VP, Legal Affairs & Chief Risk Officer–gave a great lunch time talk at the ABA’s NatSec conference.  This Forbes article quoted its President, Shawn Henry; as did this Nextgov article.  Further [...]

  2. [...] Steven Chabinsky (CrowdStrike) speaks at ABA conference.  [...]

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Categories