Can We Hack the Hackers?
Welcome back, my rookie hackers!
For some time now, I have been contemplating this issue, can we hack back the hackers? As someone who plays on both sides of the cyber security ping pong match, I've wondered whether I can use my hacking skills in self-defense of my clients. As a result, I put together a somewhat academic article exploring the legalities and justifications for "hacking the hacker." I hope you will bear with me and give this a read, then give me your thoughts and opinions.
With each day dawning comes new cyber attacks. No one is immune from these attacks; national governments, corporations, and individuals are all vulnerable to these attacks and they seem to be accelerating as our world becomes increasingly dependent upon digital means of functioning. In a era where nearly every aspect of our lives has a digital component, this shouldn't come as any surprise.
Despite the fact that our defenses have become increasingly forbidding (next generation firewalls, IDSs, etc.), the number and severity of these attacks continue to increase. Unfortunately, these attacks are likely to continue and accelerate because of the following.
Within the IT security industry, the subject has been breached in recent years as to the legality and legitimacy of "hacking the hacker" during or after an attack. Some argue that this is the legal equivalent of self-defense. In this article, I would like to explore this concept and legality of "hacking the hacker" as the digital equivalent of self-defense.
Probably from the very time that humans first aggregated into clans and communities, there has been a recognized natural law of self-defense. In simple terms this law says, "If you attack me or mine, I have the right to defend myself, which may include exacting violence upon you." This natural law has been codified within nearly every culture and legal system around the world. It existed in ancient Rome (in the concept of protecting domus or home) and within the English common law system for centuries. It existed for centuries before being codified as judges simply recognized the inherent "common sense" in this natural law. England's and the English speaking world's most noted and esteemed legal scholar, William Blackstone, wrote in his Commentaries (1765-1769):
"Self-defence, therefore, as it is justly called the primary law of nature, so it is not, neither can it be in fact, taken away by the law of society. In the English law particularly it is held an excuse for breaches of the peace, nay even for homicide itself: but care must be taken, that the resistance does not exceed the bounds of mere defence and prevention."
Note that Blackstone says that this is such a "primary law of nature" that it cannot be "taken away by the law of society."
Outside the Western world, the principle of self-defense has been recognized as well and in some cases, with much more leniency and leeway. In some cases, the right to self-defense may be limited by the minimum amount of force necessary to stop the crime, but in the People's Republic of China in 2009, a case was ruled as justifiable homicide when a robber was killed who was trying to escape. The court ruled that the homicide was justified as "self defense" because "the robbery was still in progress."
It goes without saying then, I believe, that a right of self-defense is a well established principle in nearly every culture.
The question I want to address here then is, "Can we apply this universal and natural law and principles to our digital world of the 21st century?"
Some have argued then that since this natural law is nearly universally recognized, we can apply it to our digital domains and it would have a positive effect on the safety and security of our digital domains.
The arguments goes something like this; if the hackers believed that they might be met with an attack upon themselves, they are more likely to be reluctant and hesitant to attack innocent institutions, individuals, and governments. Just like in the widely held principle self-defense to your person and property, an attacker has to consider not only how self-defense might impact their probability of success, but also whether self-defense might lead to the exercise of violence and damage upon their person and property. In our physical world, self-defense can lead to the manslaughter of the attacker and the victim will bear no legal liability as such manslaughter justified. In some cases, this might give the attacker pause... at least, once.
Let's try to make this more concrete in our physical world. Take for instance the case of a street thief. He is much less likely to attack a very large, muscular victim who appears possibly armed than an innocent, frail, unarmed victim. Why? because of the possibility that he might become the victim. This isn't just an estimation of the possibility of success, but also the possibility that they themselves might become damaged in the attack. Couldn't this same principle apply to cyber security as well as the street?
Some would argue that self-defense only applies to stopping the attack, but if the hackers have entered our property and stolen our assets, then the attack is still "in progress," to borrow the words of the Chinese jurist. As such, self-defense would still be a legitimate defense as long as the attackers are in possession of our property (data).
Imagine a scenario in the near future, where our neighborhood cyber crime gang is contemplating an attack upon an innocent institution. They know that that same institution has at its disposal a group of well-armed, "gun-slinging" hackers. That same institution was recently hacked and the self-defense hackers not only responded with their own attack, deleting data on the cyber thieves' hard drives, but also then DoSing them so that they could no longer access the Internet. Would they think twice before going after them?
For those of you who are scholars of the history of the American West (or at least American westerns), you are probably aware that there was a time not too long ago when the American West was a lawless land, often referred to as the "Wild West." If you have seen any American western movies (Butch Cassidy and the Sundance Kid, among many others of this genre), I think you know what I mean.
I don't think it's much of a metaphorical stretch to see our current circumstances in the cyber world as "Wild and Lawless Cyberland" similar to the "Wild West" of the 19th century. At that time, many businesses—most notably the railroads—found it extremely difficult to operate their businesses in such an lawless environment. Eventually, they settled upon a solution: the Pinkertons.
The Pinkertons were a private law enforcement agency that the railroads and others hired to secure their assets and operations. Eventually, these Pinkertons were able to drastically reduce crime in the lawless West. Maybe, it's time we have the cyber equivalent of the Pinkertons. These "cyber Pinkertons" would discourage hackers from attacking our valuable assets and businesses by launching cyber counterattacks.
Even if the cyber security industry adopts a concept of "cyber security self-defense" where counterattacks are legitimized, there will still be the key issue of attribution. In other words, who and where are the attackers. If you have ever investigated the attribution of an attack, you know what I am talking about. The hackers/attackers often use proxies between themselves and the victim, so tracing an IP address can be problematic. This in itself may be the greatest impediment to the "hack the hacker" self-defense.
What do you think? Should the hacker be subject to a counter-hack?
If nothing else, this might open new employment opportunities for you, my novice hackers.