Are ‘Hacking Back’ and Other Cybersecurity Defences Acceptable?
If you could detect an attack on your computer system and defend against it, would you want to do it? should you be allowed to do it? What if defending meant harming the computer of the attacker? What if defending meant at least getting information about intermediate computers between the attacker’s and yours?
There are legal and ethical questions here. A review of the ethical ones appears in Stewart Baker’s blog, Skating on Stilts. (He is a former General Counsel of the US National Security Agency, among other high-level achievements.)
Mr Baker argues for private defence as well as for state-operated defence. What do you think?
Care to speculate about whether defending your system, or poisoning the attacker’s system, would constitute ‘colour of right’ that is a defence against a charge of unauthorized access to someone else’s computer system? [Criminal Code s 342.1]
His legal analysis is under US law, of course, since that’s where he’s writing, but this passage sounds applicable to the Criminal Code provision I alluded to above:
To oversimplify a bit, violations of the [Computer Fraud and Abuse Act] depend on “authorization.” If you have authorization, it’s nearly impossible to violate the CFAA, no matter what you do to a computer. If you don’t, it’s nearly impossible to avoid violating the CFAA.
But the CFAA doesn’t define “authorization.”
Likewise the Criminal Code does not define “colour of right”. Do the concepts overlap for this purpose?
Well, consider it as an electronic variation on breaking and entering. and it’s associated jurisprudence
Some fragile program has been “broken” to give the attacker entrance to your machine, and he’s “in” it. The part that’s in the machine is subject to arrest, and if it escapes, hot pursuit.
As a private person, I can pursue my attacker, subject to the expectation that I don’t hurt innocent third parties, but I may have to use (minimum) force to capture the attacker.
The minimums are subject to review by a court, but certainly I can tackle him and hold him for the police to arrive, but I can’t rip his head off and spit on it (:-))
I can also cry “stop thief” and request other citizens to trip, tackle or otherwise hinder the escaping criminal. They can’t rip his head off either, but they probably aren’t as motivated to do so as I.
When I cry “stop thief”, the police can step in, and use their powers to capture the criminal, and incidentally prevent me from removing his head.
In a network, the criminal is a thin tissue of electrons, a kind of psuedopod of action from their home machine, through many innocent third parties, to me. Many of those third parties may chose to help, and capture bits of the pseudopod (a stream of packets) that attacked me.
I may find the culprit quickly via WHOIS, and identify him, but I’m not sure what capturing him involves. More likely I find his ISP and address, and have to turn the problem over to the police in his country.
But what about a capture? What is minimum force? Perhaps he’s an unpatched Windows system: if his pseudopod is still deep in my guts, I can infect it with an antibody. Can I tak it farther and punch him in the host bus adapter? Tackle him and hold him down to -0.5 volts? Tear his psuedpod out by ethenet port?
If he’s subduable, can I subdue him? If he’s in the middle of attacking a hundred others, can we all DDOS him until he cries “uncle” and surrenders to the police?
At this point, similie runs out, and the hard problems arise. IMHO, some action is clearly my right, and some is very much not.
I’ll propose that tracking, tracing, antibody-infection and DDOS is legitimate, and infecting him with a random virus is too close to punching him out. Somewhere in between comes ripping off the pseudopods by knowing what they do and turning them against themselves on HIS machine. I wonder where that would fall…
–dave