In the cyber world, companies may be accused of selling defective goods, providing poor service, misleading customers, defrauding the government, or committing unethical or criminal conduct. These accusations can appear in emails to company clients or government enforcement agencies, posts on blogs or company websites, tweets, or streamed video clips on social media. They may come from competitors, customers, foreign governments, or strangers. What's worse, they may be cloaked in the anonymity of the Internet, making it difficult (but not impossible) to hold responsible persons accountable.
October 27, 2017
Responding to a Cyber Reputation Attack: A Game Plan and a Digital Forensics Expert
Michael Maschke, Joe Meadows, and Laura Aradi – November 2, 2017
Cyber reputation attacks are on the rise. Responding to them requires a RAPID game plan and a good digital forensics expert.
R-A-P-I-D Game Plan
A company's first impulse to respond to a cyber reputation attack may be to hunt down the attacker and file suit. But litigation is costly. Other approaches may achieve the same end result. A more methodical approach is preferred.R – Recognize if the company has a legal claim. The company will need to understand the basic elements of reputational claims such as defamation, disparagement, false light, invasion of privacy, unfair trade practice, or a Lanham Act claim. Perhaps the cyber reputation attack isn't actionable in court. For example, in the defamation context, the damaging statement (not simply opinion or sarcasm) must be false, directed at the company's reputation, published to others, made negligently or with malice, and cause the company reputational injury. If any one of these elements is missing, the company probably has an image or public relations problem, not a legal claim for defamation.
A – Assess whether action is necessary. Not every cyber reputation attack deserves a response. Maybe it can be ignored if the damaging statement lacks obvious credibility (the company hires space aliens because they're cheaper), appears in a low-profile Internet location (buried in a long list of online comments), disappears quickly (Snapchat), or doesn't clearly target the company (mentioning only an industry, not the company).
P – Proceed informally first. If the company rules out inaction, it should consider informal responses:
Post a counter-narrative to dispute the statement and mitigate damage.
Demand that the attacker retract or correct the statement.
Ask the attacker's Internet service provider or web host to take down the statement, particularly if it violates user terms of service.
Employ trusted and ethical search engine optimization services to push down the statement in search engine results.
I – Investigate the prospect of litigation. Litigation may end up being the company's best option. But before filing suit, the company should evaluate its goals—Money damages? A retraction and injunction? A "victory" by default judgment? Deterrence against future attacks? Clearing the company's name?—and evaluate the relative strengths of its claims and the attacker's defenses. In defamation cases, the inability to identify actionable false statements or sufficiently allege malice often proves quickly fatal. Defenses based on privileges (fair comment, judicial), immunities (section 230 of the Communications Decency Act), and the First Amendment (anti-SLAPP laws) can also derail a case early on.
D – Draft the right complaint / Discover the attacker. If the company decides to sue, it should draft the complaint with the right parties. In defamation cases, the plaintiff needs to be the direct target of the damaging statement, not a subsidiary or other affiliate unless it has its own independent claims; and the defendant may include re-publishers of the statement (second bloggers or re-tweeters), those who conspired with or aided and abetted the main attacker, or John Does in anonymous cases. In addition, the company should include other reputational claims in the complaint. If the main one fails, backups are available.
The company should seek early discovery of the identity and motivations of the attacker, especially in John Doe cases. But it should expect fights from the attacker, Internet service providers (ISPs), or web hosts over whether discovery subpoenas are overbroad, violate the Communications Decency Act or Stored Communications Act, or interfere with claimed First Amendment anonymity rights. The First Amendment issue is complicated. Federal and state courts employ a variety of tests in deciding whether to order disclosure of information that would unmask a John Doe. Most require some form of notice of the claim to Doe, prima facie proof of the underlying claim, and a legitimate need for Doe's identity other than to "out" the attacker—e.g., proving Doe actually made the damaging statement or establishing why and with what degree of fault Doe made the statement.
Digital Forensics Expert
A company's game plan should also include a knowledgeable, experienced (certified) digital forensics expert.
Increasingly, digital forensics experts or examiners assist clients and counsel with cyber reputation attacks. They investigate data breaches, analyze the sources and methods of cyber attacks, identify attackers, track continuing online activity, isolate and preserve electronic evidence, and sometimes testify.
The storyline for these cases follows a similar pattern: a company may experience harassment in an online forum, receive a nasty "anonymous" email, or be the subject of a disparaging video blog post. Luckily, cyber attackers are often brazen and believe they won't ever be found. This overconfidence can cause them to slip up somewhere along the way, ultimately leading to their identity and motivations behind the attack.
One key to finding the attacker is fairly obvious—the attacker's Internet protocol (IP) address. An IP address is a unique value assigned to an Internet connection, akin to a physical home address. If you send an email message, your IP address is embedded within the email header. If you post a comment in an online forum, your IP address may be recorded by the web host. If you write a blog post or send a tweet, your IP address may be logged by the Internet service provider. A digital forensics expert can help locate IP addresses and distinguish real from fake ones.
IP addresses, however, may lead to a dead end. They may be dynamic (as opposed to static) addresses that can't be traced to a particular user or location, or they may be on open public networks (think a local coffee shop) or rigged to lead to a wrong or unknown target.
The Tor browser—often used in the dark web—is a popular mechanism to cloak IP addresses. It connects users to an open network, the Tor Network, which shields users' identities by bouncing their communications around a distributed network of relays. This in turn prevents websites from storing originating IP addresses that could lead to the physical location of users.
For users wanting to anonymously set up their own websites (and later engage in masked cyber attacks), "privacy-by-proxy" companies have recently come to their aid. They help register untraceable website domain names. Earlier this year, one particular company outside the United States began offering proxy registration services that include granting its customers full usage rights to requested domain names and rights to transfer those names to yet others.
A digital forensics expert can employ countermeasures to these masking technologies. For instance, an expert will know how to research the Internet Corporation for Assigned Names and Numbers (ICANN) and the American Registry for Internet Numbers (ARIN) for information on domain names and IP addresses. Other countermeasures will depend on the fora used by the cyber attacker.
An expert investigating an ISP or website will look at a number of factors:
whether the ISP or website required user registration information to send messages and post content
whether the ISP or website logged various user interactions, including log-in / log-out times, device information, GPS and local time data, and secondary or password recovery contact information
whether the ISP or website is reputable and reachable, or well known in cyber attacker circles
A digital forensics expert may not need to use technological methods or analysis to discover information about the cyber attacker. A simple forensic study of documents, Internet handle names, what others are saying online, and the content and timing of the attacker's statements may be all that is needed.
Forensic study materials may come from the company directly. The company will need to take steps to preserve all evidence in a cyber attack. Emails, online comments, blogger statements, tweets, and videos should be preserved in their native form and on all devices, including mobile ones. At a minimum, screenshots of this information should be taken. Trying to restore and later authenticate deleted material can be challenging and costly. A digital forensics expert will know how to guide companies and their counsel through the preservation process.
Conclusion
Cyber reputation attacks—especially anonymous ones—are increasing. They require a methodical approach, but one in the form of a RAPID game plan. Coordinating with an experienced digital forensics expert is also important. It can be pivotal to the outcome of the company's case—during the investigation, response, and litigation phases.