Steven Chabinsky (Crowdstrike, ex-FBI Cyber Division) talks private sector cyberdeterrence at ABA’s NatSec Law conference

I also had the opportunity to attend the ABA Standing Committee on Law and National Security’s 22nd Annual Review of the Field of National Security Law in Washington, D.C.  The conference is just wrapping up today, and was a great event.

Yesterday (11/30) the ABA invited Steven R. Chabinsky–the Senior VP, Legal Affairs & Chief Risk Officer of Crowdstrike, Inc. and prior Deputy Assistant Director of the FBI’s Cyber Division–to give a keynote lunchtime address titled “How Today’s Cybersecurity Problems are Reshaping National Security Law.”  It was, in short, a fantastic talk.  I’d like to discuss a bit of what he said.

Mr. Chabinsky started with the proposition that there is no such thing as cyberlaw.  In fact, he argued that in their day to day national security capacity, each member of the ABA’s conference was practicing cyberlaw.  The point was that whatever we consider cyberlaw to be, it is still far from established.

Moving on from that point, Mr. Chabinsky argued that the cybersecurity problem was, in reality, a technology problem.  He noted cyber vulnerabilities in cars and biomedical devices, saying “our nation’s citizens are vulnerable” and “targeting doesn’t have to mean Stuxnet.”  One line I loved: “you believe the display you’re watching is accurate,” but in reality, cyber specialists have the ability to manipulate displays to tell you everything is okay when it’s clearly not.  Furthermore, the U.S. has to realize its use of cyberweapons (like Stuxnet) will work both ways: we’re setting normative behaviors when we use such weapons, and unlike a bomb, a cyberweapon “doesn’t go away when you launch it.”  People are going to discuss, dissect, and possibly redesign it.

Then Mr. Chabinsky got to the topic I had waited for with baited breath: the role of private companies in cybersecurity.  He said that private companies are having discussions about taking action on their own in cyberspace because they don’t believe the government can handle it.  Furthermore, things aren’t getting better.  Congress is not passing effective legislation, but rather, arguing amongst themselves.  In the interim, the private sector suffers from cyberespionage.  “Everyone knows you can’t win on defense,” we can’t keep relying on the mindset of gates and guards, and we need to go after the bad guy.  “It will be a national security and law enforcement prerogative to involve the private sector in threat deterrence.”  This becomes especially relevant because, according to Mr. Chabinsky, we’re seeing increasing crossover between nation-states, terrorists, and criminal groups.

The talk then transitioned to the question and answer phase.

I forgot the question, but I love his response regarding the infection of SIPRnet by those flash drives: we keep talking about wake up calls, but “the snooze button has been hit 20 times.”

Regarding attribution, Mr. Chabinsky didn’t think it was as huge a problem as people make it out to be.  Direct attribution to a single person is still tough, but there is a greater chance of attributing conduct to a nation-state.

There was, at some point, a question about the legality of hackback.  Mr. Chabinsky noted there is a bit of unease about the idea of the private sector taking punitive measures.  However, he drew a distinction between punitive measures and the private sector taking stabilizing actions until they can handoff to the situation to law enforcement or the intelligence agencies.  I really loved this idea.  It’s not so much beating the guy who stole your wallet, but pinning him to the ground until the cops come.  Mr. Chabinsky drew in 4th amendment/exigent circumstance parallels, arguing that notions common in other areas of the law could be relevant here.  Indeed, it’s a shame that the U.S. “has the most capable, innovative private sector that is not involved in threat deterrence.”  My commentary: I really, really like this idea.  A lot of people are uneasy about hackback because it seems like some form of vigilantism or reprisal.  If we frame it as not a method of reprisal, but rather, as something a company can use before the government gets on the scene, it’s easier to swallow.

Paul Rosenzweig (of Lawfare fame) had a great question as to how we could square hackback with international law, especially in the context of some sort of government supported hackback regime.  Mr. Chabinsky suggested that we need to have international norms in this area and segregate out in advance when and where we can do certain things.

This is, of course, my incomplete paraphrase of Mr. Chabinsky’s talk at the ABA conference; I don’t mean to put words in his mouth, so take what I’ve written as you will.

In any event, it was a wonderful talk, and probably one of the most forceful and persuasive arguments I’ve heard regarding the private sector’s role in cyberspace.

Again, all credit to the ABA (and of course Mr. Chabinsky) on this one.


It’s been a while, but if you’re interested, @cyberlawblog for our Twitter account.

Tags: , , , ,

2 Responses to “Steven Chabinsky (Crowdstrike, ex-FBI Cyber Division) talks private sector cyberdeterrence at ABA’s NatSec Law conference”

  1. […]  Steven Chabinsky–the firm’s Senior VP, Legal Affairs & Chief Risk Officer–gave a great lunch time talk at the ABA’s NatSec conference.  This Forbes article quoted its President, Shawn Henry; as did this Nextgov article.  Further […]

  2. […] Steven Chabinsky (CrowdStrike) speaks at ABA conference.  […]

Leave a Reply

You must be logged in to post a comment.


Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography