[BreachExchange] Is it wrong for victims of cyber-crime to hack back?

Mon Sep 26 19:27:07 EDT 2016

https://www.weforum.org/agenda/2016/09/is-it-wrong-
for-victims-of-cyber-crime-to-hack-back

Is it wrong to hack back - to counter-cyber-attack when you’ve become a
victim?

The presumed answer is yes. In the US alone, the Department of Justice
calls hacking back “likely illegal”; the Federal Bureau of Investigation
“cautions” victims against it; and White House officials call it “a
terrible idea.”

But none has clearly declared it illegal. The law has not caught up with
technology here - whether in the US or other geographies - and we don’t
have a test-case in court yet. In the meantime, we can look toward ethics
for guidance, which surprisingly might permit hacking back.

If cyber-attacks are a law enforcement issue, the usual solution is to let
the authorities handle it. They’d work to capture the suspects, put them on
trial, and punish them if found guilty. To circumvent this process seems to
be vigilantism, which threatens the rule of law and therefore civil
society’s foundation.

But when cyber-attackers continue to elude identification - forget about
capture and prosecution - does it still make sense to defer to the
authorities? Help is not on the way. For instance, the FBI said this about
ransomware, or malicious software that locks down a user’s system until
money is extorted. “To be honest, we often advise people to just pay the
ransom," they said.

If the wheels of justice are systematically stuck, then it may not be
vigilantism to take action against your attacker. Part of our social
contract to create and abide by government is to give up our natural powers
to take justice into our own hands, in exchange for a more reliable and
fair legal system. Arguably, our obligation to defer to law enforcement is
suspended, on this particular issue of cyber-attacks, if they can’t uphold
their end of the bargain.

Anyway, your right to self-defense is basic and does not go away, even when
help is on the way. In a home robbery, for example, it’d be reasonable to
defend your family while waiting for the police, since a lot can happen in
the several minutes in between.

But what if you can’t identify the attacker? What if he’s really an
innocent person who accidentally stumbled into your house or was co-erced?
This is a popular concern; hacking back might target innocent people, since
attribution or identification is so difficult.

For instance, in a distributed denial of service or DDoS attack, if you
knock out the computers that were unwittingly hijacked and used to swarm
against your system, are you attacking “innocent” computers, and is that
bad? Their owners aren’t malicious and didn’t agree to this use, though
they may be negligent in not updating anti-malware defenses.

Well, we don’t need to establish guilt before we can act against an urgent
threat, or else it’d always be too late. All that we need to know, at that
moment, is that the person is a threat to others, culpability aside.

Even the police aren’t expected to ascertain an attacker’s identity and
motives before using force. A bank robber or suicide bomber could really be
a co-erced victim himself, whose kidnapped family would be killed if he did
not carry out the crime or terrorist act. Yes, it’d be regrettable to use
force against innocent people, but sometimes even lethal force is justified
and reasonable.

Another worry with hacking back is that it may escalate a conflict: it may
invite retaliations, further mayhem, and collateral damage. But this is too
broad an objection, as any case of self-defense could be accused of the
same provocation. This seems to be victim-blaming, similar to faulting a
mugging or rape victim for additional injuries sustained as a result of
fighting back.

Critics also worry that hacking back may destroy evidence needed for
prosecution of the initial attack. Putting aside a lack of reliable
prosecution against cyber-attackers in the first place, this objection also
could be victim-blaming: it’s reasonable to resist a mugging, rape, or
other criminal acts, even if that might destroy evidence of the crime.

This ethical analysis is just a sampling of a bigger discussion we just
published in a new report. Even if we look at cyber-attacks as a military
problem (since many attacks come from overseas) or public health problem
(like fighting against a virus outbreak), there could be other reasons to
think that hacking back is ethical.

If so, the next step is to take another look at the legality of hacking
back, as both law and ethics may have been prejudged hastily on this
subject. At a time when we need more options when responding to cyber
threats, and when we’re still grappling with the cyber domain conceptually,
it may be premature to take any reasonable options off the table.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160926/c25c75eb/attachment.html>