Brandon Dunlap: Good morning, Mr. Wilcox.
Spencer Wilcox: Hey, how are you, Brandon?
Brandon: I’m just about halfway through my first cup of coffee so forgive me if I’m a little slow with you this morning.
Spencer: That’s all right.
Brandon: Well, do you still have time to chat?
Spencer: I do. I am driving in as we speak.
Brandon: No problem. I think that we decided that we were going to talk about the Disrupt portion of our Network Use of Force Continuum this morning.
Let’s dive right in.
The first step is defining what we mean by “Disrupt.” This is really the first time we leave our network boundary to begin to affect the upstream attack or the attackers.
Spencer: I would classify it more as a border skirmish than leaving the boundary. Within Disrupt, there are a lot of tactics like shunning at a firewall, like disaster recovery IP addresses, things that would extend your perimeter or blockade a perimeter rather than necessarily egress from your network.
There certainly is an element of leaving your network. Things like communicating with an upstream ISP might be an example of how one would leave the perimeter. But it’s not as in your face.
It’s within this particular spectrum. It’s not as if you’re “taking the battle to the enemy.”
I want to make sure, first, that we make that distinction. The real difference between this and the Disarm and Destroy phases of the spectrum is that this one is right on the edge of your own person.
The physical analog to this would be an open-handed tactic where a police officer grabs a suspect or a subject instead of immediately going to a more lethal form of force.
Brandon: Let me ask you this, then. There was the electronic hippies incident whereby the defense actually rerouted attack traffic to the source. They weren’t actually traversing open Internet space in affecting the end attacker in that manner by compromising or debossing them or something like that. Instead what they did was they just put routes in to redirect that traffic back to the offending host.
That one straddled the line perhaps, but it’s important to note that you have not then left your own purview. It’s more like jujitsu in that regard, using your enemy’s weight and momentum against them, which could be construed as Disrupt.
But depending upon the impact, could also be construed as Destroy.
Spencer: I would have said Disarm. It moves directly into that space of a denial of service (DoS) without necessarily being distributed.
So the idea there being, if I am echoing back everything that you just said to me rather than listening to it, I haven’t really done anything wrong. But I am leaving my network at that point.
Again, I want to make sure that that delineation is there between what we’re calling Disrupt and then Disarm or on the lower scale in the Deceive spectrum. So in the Disrupt part of the scale, what we’re really looking at are things like a tar pit.
So you enter my network. Rather than me just monitoring you like I would in Deceive, with a honey that or a honey pot, I’m going to actually slow you down.
I’m going to make it hard to live on every package so small that essentially your traffic has become almost miniscule in its impact. Does that make sense?
Brandon: So using tar pits, firewalls, shunning, just null routing stuff, things of that nature, so that you are doing your best to dodge the attack.
Spencer: That’s right. In personal safety one of the things we used to do, like the crime prevention training years ago, I’d go out to a personal safety lecture.
One of things they’d say is, “Remember, it’s very difficult to hit a moving target if someone’s shooting at you, right? So start moving.
It’s very difficult for somebody who’s got a pistol to hit that moving target. Be a moving target. This Disrupt spectrum really is being that moving target. It’s an attempt to eliminate the immediacy of attack.
Really what we’re trying to do is we’re trying to make the armed assailant miss. We’re trying to cause him to hit a backstop instead of hitting us, or maybe even, redirecting him out to somebody else.
Maybe not a completely ethical means of doing business, but imagine, if I’ve got bad guys that are causing me problems, and I just redirect all of my traffic to, oh, say, some military space website, so the military will get their traffic from this point forward.
Brandon: Well, what we’re essentially talking about is something my old martial arts instructor used to tell me. The easiest way to not get hit in a fight is to not be where the punch is going.
What we’re talking about here with reflecting traffic or redirecting, firewall shunning, switching over to another set of IPs in your disaster recovery facility or whatever that may be, is being someplace other than where the attack is going.
You are Disrupting, not the attacker, necessarily, in this case, but the attack itself.
Spencer: That’s right.
Think of it as Captain America’s shield. Captain America’s shield can certainly be an offensive weapon. He slings it around. He bounces it off walls, but in essence it’s just a shield. Its first job is to Disrupt the attack itself. That’s the purpose of this phase.
Let’s stop the bullet from hitting our superhero.
Let’s stop the attack from getting through.
Let’s protect the network by using innovative tactics to skirt the edge of our own borders or our own perimeter.
What we don’t want, necessarily, is to go too far afield from our network, that is to say, we’re not suggesting that people go out and use a High Orbit or Low Orbit Ion Cannon at someone at a point in their defense.
What we’re suggesting is that they use more traditional tactics that are clearly not possible violations of the Computer Fraud and Abuse Act, right?
The other thing that we want to look at here is the use of legal means at this level. This would be the level where we would send an abuse letter to an ISP, if an immediate cessation is not absolutely necessary.
In other words, the punches aren’t hitting so close to home that we can’t absorb the shock. Then what we might consider is taking a little more time out of our day, going all the way to identification of the actual attacker, maybe, and using legal means to try and stop the attack.
This is very similar to what Microsoft has done in some of its efforts to stop command and control botnets. They’re saying, we’re going to go ahead initiate civil litigation in whatever country this thing is being run from, in order to help stop the damage.
The trouble with that is, it may take a year or two, and the question is, can we tolerate that? I guess the answer is, it depends really on your patience, on what’s at stake.
But at this level of attack I think of it as, this is the constant, pernicious attacks. This is the guy who’s getting in, he’s getting through, he’s getting to you, he’s doing everything that he can to start Disrupting your services.
It may be an ADT. It might be some kind of attack by assignment, or it might mean you have a malicious insider. The idea is here, this is not fast‑spreading lethal force against your network type of attack.
Brandon: You’ve gone up a few things in that last little bit, but let’s drill into where this fits. One of the things that you brought up is, if it is not an attack that has the immediacy and potential of a quote‑unquote “lethal means,” that’s not a massive DDoS or something against your web services, let’s say, then this may be where you stop. This may be where you say, I’m just going to go here, while I continue my investigation, reach out to law enforcement, and take a breather, shall we say, in the escalation.
It’s a good pause point, I think, because sometimes these things are combinatorial attacks. We’ve heard this in the financial industry, where a denial‑of‑service attack is actually coupled with a fraud attack, perhaps bogus ACH transfers.
What they’re doing is they’re getting the defense all riled up around a bogus attack. Well, it’s a legitimate attack, but it’s really just a smokescreen for something else.
This is small enough that it doesn’t spin up all of your resources to respond. Then maybe it buys you a significant amount of time. Again, it comes back to proportionality. If not in a state of immediate and real danger, then maybe this is where we disarm or where we stop, because we’re on the right side of the law, still.
Spencer: That’s exactly right. There’s not a lot of risk associated with this particular level of the defense spectrum, or at least personal risk. If I’m a company, my question is, how much risk am I incurring by taking this action? Am I potentially creating a situation where I have to litigate? Am I potentially creating a situation where I have the federales knocking at my door, so to speak?
The answer here is no, there’s no real step outside your perimeter. There’s no risk associated with taking this tactic other than the internal risks associated with the potential for damage to your own networks.
What I want to make sure that we address, though, or reiterate here, is the real issue here, at this layer, is an opportunity to Disrupt the attack itself.
You have an opportunity, if you’re able to go to this level of effort, you have the opportunity to either Disrupt it technically, and there are a number of really interesting products that can help at this layer.
You have an opportunity to Disrupt legally. You also have potentially an opportunity to Disrupt through alternate means, like through administrative means, like reaching out to an ISP, or even an administrator on a network.
Let’s say that you find that somebody is sending you hundreds and thousands of spam messages, and they’re all coming from a single domain. You can reach out to that administrator and say, “Hey, look ‑ you’re spamming me. I want to make you aware. If you don’t do something about it, we’re going to take additional steps, like asking that your domain be blacklisted.”
So it really is the friendly approach, if you will. It’s the open‑handed control technique. It’s the grabbing the guy by the wrist and saying, “All right, come on, buddy. Come on with me, as opposed to, you know, resorting to further tactics that might be more damaging.
Brandon: So as we look at this phase, where previously with Defend, we’re kind of in a maintenance mode. Even with Deceive, we are largely in a maintenance mode and monitoring. Disrupt seems to be taking an active stance, would you agree?
Spencer: It is. I would almost call it a traditional, a more traditional incident response mode, you know? There’s some active defense here, there’s damage control and mitigation at this point in the spectrum. When you start looking at the previous two spectra, Defend and Deceive, within Defend, really, you’ve already stood up your walls and you’re letting people come and attack the walls, right?
Your walls being things like firewalls and like bastion hosts and vulnerability management patching practices, and so forth.
You’re monitoring what they’re doing, what the bad guy’s doing when he’s attacking you, so that you can begin to gather intelligence, begin to get a true understanding of what the attacker is capable of and what their capabilities are.
In the Disrupt spectrum, you’re taking advantage of the information that you gained doing the monitoring in the Deceit spectrum. You’re really looking more at the what did we learn about this guy, what can I throw up in front of him to slow him down, OK?
And, you know, it’s really, this layer that we’re talking about taking advantage of what we know and what reconnaissance we’ve been able to get on the attacker himself.
Now, that begs the question. Does that mean that at this layer we have to be able to attribute the attack? The answer is no, that’s not at all what it means. What it means is I have to be able to say that that’s the IP address that’s attacking me.
Now, at this layer I might also determine that, you know what? It just stops. If I can wait it out and there’s a cessation of attack, I can still remain at this layer because at no point is there a retaliation associated with this.
That’s the neat part about this spectrum and the spectrum to the left of it. In the Deceit spectrum, in the Defense spectrum, and also in the Disrupt spectrum the immediacy of the attack is not the primary consideration because taking that action is not retaliatory.
Brandon: Right, but the caveat that goes with moving to an active stance like this is twofold, as I see it. One is the drain on internal resources. This is the first time that you begin committing internal resources to your defense in an active fashion.
To cut over to a DR facility, for example, for your web server is non‑trivial. It takes effort. You’re going to have to coordinate that, et cetera.
Similarly, if you start black holing or shunning traffic only to find out it’s from a legitimate business partner or customer, you could rankle the business side of this, as well.
I think that there’s some caution that needs to go with moving to this active stance, both in terms of resource utilization and potentially causing damage yourself, cutting off your proverbial nose to spite your face.
And so, I think that as you escalate through this continuum, pause here because this is where a lot of risk based decisions need to be made.
Whereas previously, what we’re talking about are really very limited risk based decisions. You’re putting up a firewall. That’s a good, sound, solid, common practice.
You’re limiting ports. You’re doing egress filtering, all of those good, happy things. We’re assuming that you’re doing things right as we go through this.
Now at this point, though, you’re actually running the risk of Disrupting your own business, not just the attack, through resource utilization and potentially blocking or closing or shunning legitimate network traffic.
Spencer: That’s right. I would think of it in terms of incident response. One of the interesting things about incident response programs is, there’s a cost associated with spinning out these resources. You’re taking away from your normal daily activities.
Essentially what you’ve done at this point, and you’ve identified that there is an issue that is significant enough that you can take these folks away from their daily duties.
It’s going to be more than just your security team, generally, involved in this. You’re going to have folks from your network operations, from your infrastructure organization who are involved, maybe from your applications, maybe from, at this point, your corporate communications and legal department.
At this point, you start spending resources beyond just tools and technologies that you’ve laid out, and normal daily monitoring processes, as you’ve alluded to it there.
What I think is ultimately the key component of this, though, is if there’s really a need at this level to ask yourself, “Do I need to go any further?” also as you alluded to.
But along the way, please realize, this is the level to which people traditionally go anyway in incident response.
Brandon: No, you’re absolutely right.
Spencer: But I would say, this is the extent of it. This is the limit of traditional incident response. After this point, well, here there be dragons. To lay out the signpost, “Abandon all hope, ye who enter here.” Because after we discuss this spectrum, everything else becomes a little more theoretical, a little bit more in your face, and a lot more communication with the outside world, if you will, and bringing the fight to the enemy.
Brandon: Right. This is nothing different than what we’ve been doing to date. In our next session, when we talk about moving into that next phase, that’s when we’re going to get into the area where there may be civil or criminal ramifications. The rubber’s really going to meet the road because this is where we get into actually reaching out and touching someone.
Spencer: That’s exactly right. Anywhere in the Disarm and Destroy spectrum, there will be a real need to make sure that you’ve got an understanding of what your legal liability is. The need to understand what your capabilities are. And there’s really going to be a need to understand what’s going to happen if you fail in your attack.
You mentioned martial arts. One of the things that’s important in martial arts is thinking that one step ahead. If I do this, what’s he going to do to me? What’s going to happen if he’s able to block the strike that I’m planning to land on him?
I think giving consideration to that, don’t exceed the Disrupt spectrum because, quite frankly, you’re probably going to put yourself into some more jeopardy by launching a [inaudible 26:45] attack than you would by simply making sure that you…Or just shutting down your own network and waiting out the fire.
Brandon: Right. I think you’re right there, that this takes thought at this point and beyond. We’ll save, obviously, those items for the next time when we speak. Hopefully later this evening.
Spencer: Absolutely. Looking forward to it.
Brandon: All right.]]>
Brandon Dunlap: Did you get a notification?
Spencer Wilcox: Yeah, that this call is now being recorded. I consent.
Brandon: Wonderful. Well, you’d have to consent, because now there’s a log of you actually accepting the call after hearing that it is being recorded even though you initiated it.
Spencer: I guess an interpretation…
Brandon: All right, Spencer. Let’s talk about the differences between cyber warfare and cyber assault. It seems as though there is an awful lot of noise, every time you and I bring up the concept of counter attack, everybody seems to be waving the cyber war flag.
“What happens if it’s a nation state?”
Or, “This is the purview of the State Department and the Department of Defense.”
I think that we’ve firmly established that this is an issue of assault and we don’t care who it is that’s hitting us, right?
Spencer: That’s right. The big concern, I think, has always been that you might accidentally hit back a nation state. Therefore, could a company, for instance, create an act of war or essentially wage war upon a nation state?
The answer is, it depends on what country you live in. It also depends upon how you define cyber war.
If I’m a company in these here United States, which is really all I can speak to, then it’s my responsibility to protect and defend myself from an assault. In this case, I see an attack upon my network as nothing more than an assailant assaulting my company’s property or assaulting me. I liken it to being punched in the face over and over again.
Brandon: Or the analogue we have often invoked, that of the security guard.
Spencer: Right. Basically, if my company is being assaulted, if I am being assaulted, if I am personally being assaulted, it’s my responsibility to stop that assault because there are [inaudible 02:53] to law in the assault itself.
I have to stop it.
It’s not the government’s responsibility to stop it unless it ties to government. I can avail myself if I’m a private citizen or a company, of private security. Someone to witness the assault upon me and to take action against the assailant.
I can be my own private security.
I can secure myself.
I can defend myself.
The way I can defend myself differs. I can start with telling the assailant, “Don’t do that. Leave me alone,” and I can work my way all the way up to deadly force if necessary in self‑defense. What’s different about self‑defense and this concept of cyber war is attribution. Attribution, in cyber war terms, assumes that I have to know who it was in order to declare war upon him or to wage an act of war.
Brandon: Unless that’s the “war on terror”, but let’s pause there for just a second.
I want to touch on this point of attribution real quickly because this is a case of an unknown assailant or perhaps partially known or partially culpable third party assailant.
You are taking a self‑defensive action. This does not touch on any of the UN requirements for preemptive strike, self‑defense, or counter attack, such as in the case of an invasion (or imminent invasion). What we’re describing here is purely an assault, and how we’re treating this under the guise of US law, correct?
Spencer: It’s simple criminal activity. It’s no different from an assault, from a physical assault, upon my person.
Brandon: Or, upon property.
Spencer: Right. A burglary, for instance, or it may be even something as simple as vandalism.
The question is one of severity and immediacy.
The severity of the act or the attack, the assault, let’s say, is what really determines the level of the response or the strenuousness, I don’t know if that’s the right word, of the response.
Brandon: We’re talking about proportionality here, right?
Spencer: Yeah. The proportionality of the response.
If somebody is pounding me in the face with their fist, well, that’s bad. If they’re pounding me in the face with a baseball bat, that’s worse. Depending upon the severity of what they’re doing, I should respond in a way that’s proportional to the attack.
The second thing is, not only do I have to worry about proportionality, but I also have to respond immediately.
It can’t be that I wait until after the attack happens. I have to do something about it now while the attack is occurring. Otherwise it’s retaliation.
Brandon: You’re getting into almost vigilantism at that point as opposed to mitigation.
What you’re saying is stop the attack now, and how do I do that?
It might involve hitting them back. Just like we see in self‑defense courses, I’m in a dark parking lot headed to my car after work. Somebody tries to snatch my laptop bag. I resist. They start beating me up for it. I fight them back, and they run away. That would be an analogue or an equivalent to what we’re talking about.
Spencer: That’s exactly right. Let’s use that example. Somebody tries to steal your lap bag. You resist. You’d fight back after they assault you.
The question that has to be answered later on…because what you’ve done by hitting that person, by harming that person who was assaulting you, is still a crime.
It’s still a criminal offense. You’ve still assaulted them.
If you laid hands on them, you assaulted them. Even though you, in the act of defending yourself, believe you’re fully justified in doing it, the law says that you can’t do that.
What do you do about it?
Well, you’d take the act anyway because it’s necessary in order to defend yourself.
But what will happen is, if you were in fear and there was immediacy in the attack and your response is proportional, if all of those things happened, then generally speaking what will happen is you’ll either be found not guilty or no one will prosecute it. Then they’ll just simply say that the attack occurred that personal self‑defense was necessary. In other words…
Brandon: Hold on. Let me pause here because that’s a very important point: that it might not be prosecuted because it might be deemed self‑defense. Therefore, the prosecution would never take up the case. What you’re saying is if you hit me and I hit you back, technically we both assaulted each other.
Spencer: That’s right.
Brandon: Yet, if you hit me first, it might be possible, because it is immediate and I have responded proportionately, that I may be never prosecuted, and my case of criminal action against you might stand or civil action. But therefore, no civil action would be taken or criminal charges filed against me because no prosecutor would take the case; because I was obviously acting in self‑defense.
Spencer: But it wouldn’t be a civil act in that way. It would have to be criminal for a prosecutor to be involved. Yet, in a civil case, it would be up to the courts as to whether or not they would hear the case. Generally speaking, a court will take just about anything from a civil perspective.
Brandon: Let’s go back to that proportionality for just a moment. If I’m getting beaten up at a parking lot and I reach in my bag and pull out my mace, stun gun, something non‑lethal, and disable or thwart the attack, that is a move up the use‑of‑force continuum. That is, while perhaps not proportionate because I was not attacked with a weapon in kind, it is still deemed OK by necessity or immediacy to thwart the attack?
Spencer: Well, the way that would work is, let’s say that you escalate to use of force. You escalate as a person.
It’s going to depend upon the laws of the location in which you are.
Let’s say, for instance, you’re in a state that has banned certain chemical weapons, like pepper spray. There are a number of states who’ve said that pepper spray shouldn’t be used, or can’t be used, or can only be used in a certain concentration. Let’s say, for just a moment that you’ve decided to use the pepper spray anyway, because the person is punching you, and you don’t feel that you have the capability of defending yourself against them. They’re stronger than you, they’re bigger than you, they’re faster than you, whatever it is.
He’s wearing the black belt that he just earned in karate class, while he’s punching you out. You have made the determination that you’re unable to defend yourself without the assistance of some device, and you decide it’s pepper spray. Well then…
Spencer: Exactly. It’s going to be perfectly OK in most states. Some states may say, “No, no, no. Pepper spray is wrong any time, 100 percent of the time,” or, “You can never have a stun gun.” Does that alter the fact ‑‑ to answer your question with a question ‑‑ that you were acting in self‑defense?
Spencer: Why is that?
Brandon: Because I was still in fear for my life and/or property, and I used, in this case, technology or devices that were available to me, to stop or thwart the attack.
Spencer: Go ahead…
Brandon: The fact that I have carried an illegal weapon, shall we call this, into a jurisdiction where it is prohibited ‑‑ or a legal weapon in one jurisdiction, crossed it into another jurisdiction, it is illegal to own or possess ‑‑ is that in itself a consideration in the self‑defense case, and that could bring separate charges against me that are criminal, completely irrespective of the incident.
Spencer: Which is kind of, this is territory that you and I haven’t discussed before, but it just dawned on me.
What happens if I’m using something that is, in and of itself, illegal?
Brandon: Let’s not get into that rabbit hole just yet. There’s a number of places to go with that. Let’s stick with the fact that I have an assailant who is causing physical battery.
I am responding with augmented defense, we’ll call it. Now, does the scope change on when I bring that out?
Is that different if I have multiple assailants?
If I see three thugs coming after me and I reach for my pepper spray first, and they still attack, the pepper spray wasn’t, therefore, a deterrent. It was perhaps seen or brandished. They still attack, and I use it on them, is that still considered proportionate to the threat?
Spencer: Again, that’s when we get into the question on any kind of self‑defense.
We might have to start talking about things like, stand your ground, or castle doctrine.
The question there really is, were you in fear?
Was the potential assailant apparently capable of carrying out an assault?
Brandon: If I’m outnumbered, I would say immediately, yes.
Spencer: Well then, and the last piece is, in your opinion, was there a risk that that the person or persons were going to attack you?
Did you believe, in your heart of hearts, you were in danger right now?
If you can answer yes to those, then I would argue that certainly there’s a justification for a use of force, but it would be less‑than‑lethal force.
Now, let’s say that the three thugs, if you will, were carrying baseball bats, or tire irons. They’re coming towards you. They clearly have the ability to cause you harm, right?
Brandon: Absolutely, and we can probably infer intent…
Spencer: That’s right. You can state with some degree of certainty that they appear to intend harm to you, because they had tire irons, and there were three of them.
You could certainly state definitively that you were probably afraid for your life or for what they might do to you.
Would you be justified in using force against them? Absolutely.
Would you be justified in using an escalated force against them? Absolutely. Again, depending on the laws and depending on the jurisdiction.
You would probably be able to justify having taken an action, if there were ever some action taken against you. Most of the time, the bad guy doesn’t press charges.
Brandon: True, but let’s look at it from this perspective. If they’re coming at me with baseball bats or tire irons, and they’re threatening, “Give me your laptop bag or I’m going to beat the crap out of you,” is that different than them actually swinging?
Spencer: That is a good question. Again, they have the tire irons, so the ability is there.
Brandon: The ability is there, the proximity and the immediacy are met, but at this point it is merely a threat.
Spencer: I would argue you could certainly be justified in taking an act at that point simply because in some jurisdictions, the threat is, in and of itself, a simple assault.
Brandon: Wait a minute.
Spencer: Go ahead.
Brandon: The threat is imminent assault?
Spencer: Is, in and of itself, a simple assault.
Brandon: Really? The verbalization of, “Give me your bag or I’m going to beat you,” is actually assault, correct?
Spencer: Yeah. In some jurisdictions. Some jurisdictions.
Brandon: Certainly. We know this will vary by state, municipality, country, et cetera.
I know a lot of women, for example, that carry pepper spray on their key chain for when they walk out to their car at night, they’ve got it locked and loaded, so to speak. Now, of course, it’s a non‑lethal weapon, but is that anticipation of a potential threat or assault factored in at all when it comes down to being assaulted?
“I had my pepper spray in my hand, your Honor, and I was approached. I was already in fear by walking through a dark parking lot at night with high valuables in my bag, alone. Therefore, I was already at a heightened alert level, when I was attacked .”
Doesn’t that introduce some degree of premeditation? Or does that constitute just a heightened DEFCON status, so to speak?
Spencer: Again, a good lawyer could argue it either way.
I’m certainly no lawyer, but, fear is a relative thing.
It’s very subjective question.
I could be afraid of an eight‑year‑old child because, and I may believe the eight‑year‑old child has the ability to cause me harm. There was actually a recent case about that, and I can’t recall where exactly this was, but the school security officer arrested a first grader who was hitting him, for assault.
The first grader couldn’t harm him. She wasn’t doing significant damage, but the first grader was hitting him, so he arrested her.
Does that demonstrate good judgment on the officer’s part? That’s arguable. But certainly, all of the criteria were there to constitute that assault. The officer had some reason to fear, the officer was assaulted. In this case, the officer took an action.
You could make the same case for anyone who is afraid of an act that’s imminent. It’s that immediacy, again.
The person seemed to be capable, the potential victim, the person who’s got the pepper spray believes that he or she is in jeopardy.
As a result, they take an action when approached.
It’s justifiable to take that act.
Brandon: In everything we’ve discussed so far, no mention of specific UN articles, Congressional declaration of war, etc. comes into play.
We’re talking purely about assault.
I think that the rhetoric that we have been seeing regarding the Orlando Doctrine and the Network Use of Force Continuum doesn’t necessarily apply.
But, it could be applied, to some degree, to international incidents. But this is really a civilian action of self‑defense, and a civilian acting as an individual, as an agent of another organization.
Spencer: Well, let’s use some specific terms here.
It is a private citizen defending his or herself against an assault?
That private citizen, in this case, is any individual who is a citizen of the country. But private citizens also include companies, corporations.
A corporation is a person, it’s an individual.
The law says so.
Why would we treat a corporation defending itself differently than we would an individual defending themselves?
Brandon: Well, to some degree, you’re going to have some degree of liability for the individual who is acting as the agent for his company.
And that company may decide to disavow or argue, perhaps, that individual acted without authorization.
At some point, you have an agency of the organization argument that needs to be made, that they weres acting on behalf of the corporate entity.
Take this back to the individual, I am defending my family, as a responsibility.
Spencer Wilcox: You could go there, or you could simply say, the person who is acting on behalf of the company is a hired guard.
Brandon: In the case of a security guard force.
Spencer: That’s right.
Or of a network defender working on behalf of his company.
But could we save that for our next conversation?
Brandon: No, no. I think that’s fine.
I think we’ve covered a lot of ground already with regards to framing the concept against the analogue between a physical use of force versus a network use of force.
I think we’ve made good progress.
I understand you need to go.
I need to get this recording checked out and see if it actually can be transcribed, otherwise we have to repeat ourselves.
Spencer: I very much enjoyed the conversation, and I’m looking forward to more of them.
Brandon: Well, let’s keep doing this.
Spencer: All right, my friend.
Brandon: I’ll talk to you soon.
Spencer: Take care.
Brandon: See you soon in DC for Suits and Spooks.]]>