Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Hacking Back


Hacking Back

Is it wrong to hack back - to counter-cyber-attack when you have become a victim?

The presumed answer is yes. In the US alone, the Department of Justice calls hacking back “likely illegal”; the Federal Bureau of Investigation “cautions” victims against it; and White House officials call it “a terrible idea.”

But none has clearly declared it illegal. The law has not caught up with technology here - whether in the US or other geographies - and we do not have a test-case in court yet. In the meantime, we can look toward ethics for guidance, which surprisingly might permit hacking back.

If cyber-attacks are a law enforcement issue, the usual solution is to let the authorities handle it. They would work to capture the suspects, put them on trial, and punish them if found guilty. To circumvent this process seems to be vigilantism, which threatens the rule of law and therefore civil societys foundation.

But when cyber-attackers continue to elude identification - forget about capture and prosecution - does it still make sense to defer to the authorities? Help is not on the way. For instance, the FBI said this about ransomware, or malicious software that locks down a users system until money is extorted. “To be honest, we often advise people to just pay the ransom," they said.

If the wheels of justice are systematically stuck, then it may not be vigilantism to take action against your attacker. Part of our social contract to create and abide by government is to give up our natural powers to take justice into our own hands, in exchange for a more reliable and fair legal system. Arguably, our obligation to defer to law enforcement is suspended, on this particular issue of cyber-attacks, if they can not uphold their end of the bargain.


Anyway, your right to self-defense is basic and does not go away, even when help is on the way. In a home robbery, for example, it would be reasonable to defend your family while waiting for the police, since a lot can happen in the several minutes in between.

But what if you can not identify the attacker? What if he is really an innocent person who accidentally stumbled into your house or was co-erced? This is a popular concern; hacking back might target innocent people, since attribution or identification is so difficult.

For instance, in a distributed denial of service or DDoS attack, if you knock out the computers that were unwittingly hijacked and used to swarm against your system, are you attacking “innocent” computers, and is that bad? Their owners are not malicious and did not agree to this use, though they may be negligent in not updating anti-malware defenses.

Well, we do not need to establish guilt before we can act against an urgent threat, or else it would always be too late. All that we need to know, at that moment, is that the person is a threat to others, culpability aside.

Even the police are not expected to ascertain an attackers identity and motives before using force. A bank robber or suicide bomber could really be a co-erced victim himself, whose kidnapped family would be killed if he did not carry out the crime or terrorist act. Yes, it would be regrettable to use force against innocent people, but sometimes even lethal force is justified and reasonable.

Another worry with hacking back is that it may escalate a conflict: it may invite retaliations, further mayhem, and collateral damage. But this is too broad an objection, as any case of self-defense could be accused of the same provocation. This seems to be victim-blaming, similar to faulting a mugging or rape victim for additional injuries sustained as a result of fighting back.

Critics also worry that hacking back may destroy evidence needed for prosecution of the initial attack. Putting aside a lack of reliable prosecution against cyber-attackers in the first place, this objection also could be victim-blaming: it is reasonable to resist a mugging, rape, or other criminal acts, even if that might destroy evidence of the crime.

This ethical analysis is just a sampling of a bigger discussion just published in a new report you can download below. Even if we look at cyber-attacks as a military problem (since many attacks come from overseas) or public health problem (like fighting against a virus outbreak), there could be other reasons to think that hacking back is ethical.

If so, the next step is to take another look at the legality of hacking back, as both law and ethics may have been prejudged hastily on this subject. At a time when we need more options when responding to cyber threats, and when we are still grappling with the cyber domain conceptually, it may be premature to take any reasonable options off the table.

HackingBack Report: http://ethics.calpoly.edu/hackingback.pdf

Comments
Sorry but there are no comments to display