Posted by Kevin on December 27, 2015.
It is a natural law that you can meet force with force in order to defend yourself. How far should this extend into the cyberworld: should hacking back be a legal right for private business?
The right to hack back has been debated for many years. It is quite clear today that such an action would be illegal. However, there are increasing grey areas where it already happens. Four years ago the Dutch police took over a Bredolab C&C server and used it to deliver warning messages to users infected by Bredolab – almost certainly in contravention of national laws such as the UK’s Computer Misuse Act (cf: Dutch Police infect users with trojan – legal or illegal; good thing or bad thing?). Security firms, such as anti-malware companies, regularly hack suspected C&C servers to learn more about the malware and the gangs behind them.
In November 2015, Motherboard suggested that researchers from Carnegie Mellon had helped the FBI crack the anonymity of Tor, leading to the arrest of a senior staffer from Silk Road 2 and a suspected child pornographer. It seems like a no-brainer that private individuals should be able to take on law-breakers.
But there are both philosophic and technology reasons arguing against this. The first is that it smacks of vigilantism similar to the arguments used by Anonymous. The second is that you do not necessarily know where or what an attacking host is. It could be an unpatched server in a medical establishment – one on which innocent lives depend.
We asked a group of CISOs from the Wisegate community whether they believe they should have the right to hack back when under cyber attack. We gave them six options:
Only four options received any votes. The first two options polarize the argument, effectively saying ‘yes’ or ‘no’. The remaining options suggest, ‘yes, but…’ or ‘no, but…’. In the simple ‘yes/no’ argument, the response is clear. By a vote of 6 to 1, CISOs believe in the rule of law – which currently says hacking back is illegal.
However, an equally popular option was ‘Yes – but only with the approval/direction of law enforcement’, also receiving six votes. This would suggest that many US CISOs believe the actions of the Dutch police over Bredolab, and the Carnegie Mellon researchers over Tor were justified. It leaves the actions of the security companies in a grey area, but in reality it is doubtful that many people will worry about the legality of this.
Overall, it would be fair to say that most CISOs believe that law enforcement involvement changes the equation. Three CISOs commented that hacking back is wrong:
“We should comply with the law at all cost…”
“We need to comply with legal regulations…”
“Hacking back is simply vigilantism…”
However, in each instance the initial statement was qualified by what amounts to ‘except with law enforcement involvement’. One view ties law enforcement involvement to a court order: “If a court order is issued to provide law enforcement with information, that would be OK. But to hack back while law enforcement watches you crosses the line.”
Other views suggest it is a natural right. “If you walk the streets of the seedy part of town, you can expect a lot more trouble than if you didn’t. If you play in the dark web (even only to look), you are in the seedy part of town. I think you run the risk of getting hacked, either by someone with mal intent or someone trying to find those with mal intent.” Another CISO likened it to a physical attack, where you have the right to fight back, but warned, “You are still responsible for any collateral damage that may occur during the process.”
The right to hack back remains a difficult and unresolved question. The majority view is that there is no simple right. Cyber street is not the same as Main Street, your cyber property does not correspond to your home – you cannot just shoot the burglar. Nevertheless, the approval or request of law enforcement changes the balance of things. At the request or approval of law enforcement, hacking back becomes acceptable.Submitted in: Perspectives |