MuhammadUsmanFirstPaper 3 - 09 May 2022 - Main.MuhammadUsman
|
|
META TOPICPARENT | name="FirstPaper" |
| |
< < |
In the wake of increasing and sophisticated cyber-attacks and the failure of cybersecurity strategies to counter cyber-attacks, the idea of hacking back is being proposed as a solution. This paper explores the legal and ethical issues presented by hacking back.
The Dilemma of Hacking Back | > > | Cyber peace: Is Hacking-back the solution? | | -- By MuhammadUsman - 20 Mar 2022 | |
< < | For quiet some years now, there have been debates around legalizing private sector hack-back. The concept of hacking back refers to allowing private sector entities to take intrusive cyber action against their attackers. Bills have been passed in the past to legalize hacking back with the most recent one being tabled by U.S Senators Steve Daines and Sheldon Whitehouse. Essentially, the bill requires the Department of Homeland Security to conduct a “study on the potential consequences and benefits of amending section 1030 of title 18, United States Code (commonly known as the “Computer Fraud and Abuse Act”), to allow private entities to take proportional actions in response to unlawful network breach” | | | |
< < | This idea of using force to deter or stop crime stems directly from the physical world. The idea of fighting back is nothing new and it is intuitive that if you see a shoplifter in your shop, you will search and frisk the shoplifter and even reach into his pockets. It seems as if society recognizes that some amount of force is sometimes necessary and legal to defend property. However, the right to use reasonable force has not been extended to the cyber world so far. Presently, the CFAA prohibits unauthorized access to a computer which constraints the private sector’s ability of self-defense or ‘hacking-back.’ | > > | Background
Over the past decade, governments across the world, private companies and even NGO’s have been targets of comprehensive cyber-attacks. Nations across the world have been engaged in debates on how to counter this looming threat, but the sophistication and frequency of cyber-attacks continues to grow, with little repercussions in place for the perpetrators. One idea proposed as a defense against cyber-attacks is the concept of ‘hacking-back,’ which refers to allowing private sector entities to take proportional intrusive cyber action against their attackers. Bills have been tabled in the past to legalize hacking back with the most recent being proposed in 2017 by U.S Senators Steve Daines and Sheldon Whitehouse.
Hacking-back: A recipe for disaster
This idea of using force to deter or stop crime stems directly from the physical world and seems to be based on the proposition that a certain amount of force is sometimes necessary and legal to defend property. While eliminating the idea of self-defense in the physical world would seem counterintuitive, complications arise when the concept is applied to the cyber-space. Firstly, it is extremely difficult to attribute a certain attack to a specific individual or organization as modern technologies allow cybercriminals to use deceptive techniques, such as botnets. Additionally, the potential of causing collateral damage while hacking-back is enormous. Unlike the physical world, the cyber world does not operate within clear boundaries. If hacking-back is allowed, it would create a situation similar to private citizens standing at their fences shooting bullets aimlessly and hoping to eventually hit the actual criminal.
Furthermore, the effectiveness of hacking back is also questionable. Even if the stolen data is located, it is improbable that deleting that data would ensure any amount of security for there is absolutely no way of ascertaining if any copies of the data were made. It can also be foreseen that hacking-back might make the hacker determined to further hack you and damage your system, which can lead to a cyber-war that could be detrimental to the organization’s survival. The example of Blue Security illustrates this point, which had to shut down because the angry spammer decided to fight back. Furthermore, it is unlikely that hacking back will deter ideological hackers who are not motivated by profits or costs. If the private sector is allowed to carry out activities such as hacking back, it would certainly be a recipe for disaster. Hacking-back is far from the ideal response and it is unlikely that it would counter the threats of cyber-attacks. | | | |
< < | While eliminating the idea of self-defense in the physical world would seem counterintuitive, complications arise when the concept is applied to the cyber-space. Firstly, it is extremely difficult to attribute a certain attack to a specific individual or organization as modern technologies allow cybercriminals to use deceptive techniques. For instance, while in the physical world you may see a person entering into your house, a cybercriminal may simply use botnets which will misdirect the identity of the actual criminal. Using botnets is just one example but the digital world allows pretty much anything to be spoofed. In today’s cyber world, numerous organizations have their systems compromised in malicious attacks. If any such compromised system of an organization is used to attack a third organization and the third organization then uses the option of hacking-back to neutralize the threat, this will revictimize the already affected organization. Cybercriminals are constantly evolving their techniques which makes it extremely difficult to pin-point and discover the cybercriminal. | > > | Achieving cyber peace | | | |
< < | In addition, the potential of causing collateral damage while hacking-back is enormous. Like the physical world, the cyber world does not operate within clearly chalked-out boundaries. If hacking-back is allowed, it will create a situation which will be similar to private citizens standing at their fences shooting bullets aimlessly and hoping to eventually hit the actual criminal. Furthermore, the effectiveness of hacking back is also questionable. Even if the stolen data is located, it is improbable that deleting that data will provide any security because there is absolutely no way of finding out if any copies of the data were made. It can also be foreseen that hacking back might make the hacker determined to further hack you and damage your system and lead to a cyber-war that could be detrimental to the organization's survival. The example of Blue Security illustrates this point, which had to shut down because the angry spammer decided to fight back. The situation further complicates in cross-border cybercrimes where cyberattacks can be seen as acts of war. | > > | The solution lies not in individual actions but in a collective attempt to create a more peaceful internet where crime is simply harder to commit, instead of being more violently deterred or retaliated against. We need the governments of the world to collaborate and work together towards a common goal; to stand up for principles that call for protection of innocent civilians, the infrastructure and the internet. However, these governments will first have to build confidence and mutual trust amongst each other. They can start by exchanging information and best practices between each other and establishing cyber hotlines. Microsoft’s call for creation and implementation of international cybersecurity norms - a Digital Geneva Convention, seems to be a much-awaited step in the right direction. The idea does not seem too far-fetched. The US and China have already shown the way forward by overcoming tensions and agreeing to ban intellectual property cyber-theft in 2015. | | | |
< < | There are also a number of legal and administrative questions that remain unanswered. For instance, if an organization harms a third-party during hacking-back, who will bear the consequences? Who will decide what actions are legal and proportional and what are the parameters to determine the types of targets that can be pursued. Hence, there is a risk that private companies might launch intrusive attacks without clear evidence and may also end up inflicting disproportionate punishments. | > > | However, governments alone might not be able to achieve this and tech companies also need to stand up for shared principles that protect individual users. It is important that tech companies collaborate with each other and adopt commitments to help, deter, prevent and respond to cyber-attacks. Tech companies across the world will have to come together, and protect users everywhere. Most importantly though, companies need to do away with offensive strategies and adopt total defensive policies. The Cybersecurity Tech Accord (2018) appears to be a good starting point. As per the Tech Accord, 34 companies across the world, including Microsft, Dell, Cisco Nokia, Linkedln etc., have committed to “protecting people and communities from online threats through action across four areas: stronger defense, no offense, capacity building, and collective action”. Moreover, companies need to develop products and services that focus on privacy and security and minimize vulnerabilities or any likelihood thereof. Users should be empowered and provided with tools and information that help them better understand cyber threats. | | | |
< < | On the other hand, it is argued that government agencies and even the FBI are already overwhelmed by an onslaught of cyberattacks and legalizing hack back might deter cybercriminals to a certain extent. It can also be argued that with the availability of this option, cybercriminals could be held accountable to a certain degree as most of them go unpunished today. However, it is unlikely that hacking back will deter ideological hackers who are not motivated by profits or costs. It is also unlikely that taking intrusive actions will remedy the harms or wrongs committed by the initial attack. The entire concept of hacking back is still in its nascent stages. If the private sector is allowed to carry out activities such as hacking back without any significant oversight mechanisms and without deliberating upon the conditions on which hacking back may work, it would be a recipe for disaster and will create more harms then benefits. | > > | Tech companies should also focus on already existing as also on emerging open-source technologies. With thousands of experts working to improve the software at all times, there is a greater chance that someone would notice a bug or a flaw and fix it instantaneously. It allows many pairs of eyes, usually thousands, to constantly review and maintain the software which ensures its safety. This is not the case with commercial software’s where large companies can take anywhere up to a few months to fix flagged issues. This collaborative approach towards software development also drives innovation and provides far lower risks of technology being obsolete as the entire community is involved in its development. | | | |
< < | Hacking back is far from the ideal response to cyberattacks. Government authorities are much better equipped to respond to cyberattacks and perhaps the work of attacking criminals should be left to professionals who work within the bounds of a legal framework. Options as risky as hacking back are being debated and explored primarily because cybersecurity and law enforcement have not yet caught up with the sophistication of cyberattacks. However, Cyberspace cannot be turned into a survival of the fittest. Perhaps a better route would be a true private-public partnership where both sectors work together and find alternatives to the currently failed cybersecurity strategy. The purpose of this paper is not to outrightly dismiss the proposition of hacking back but to establish the need to fully explore the intricacies and nuances of this strategy before even thinking of implementing it. | | | |
> > | Conclusion | | | |
< < |
I don't understand the point of this draft. "The police are very busy so we're going to let people form private vigilante organizations or conduct personal retaliation" is not an argument. Yet it is the only vague justification offered for presenting the question in this framing. Of course the private contractors who like to wage war for pay under the aegis of US national security would also like to be deputized by the US to charge private companies for the fun of shooting civilians from the back of a van downtown. Yes, their buddies in government who will take jobs with them when they retire occasionally invite them in to explain how to increase the take of the private-war industries. So what? | > > | It is true that cyber-attacks pose challenges the likes of which have never been seen before, but individual actions and risky options like hacking-back would create a cyberspace in which only the fittest can survive. A collective approach seems to be the only sound alternative to our currently failing cybersecurity strategies. In this collective approach, governments, tech companies and other like-minded groups will have to work together to create a cyber-space where crime is extremely difficult to commit. Until that is done, there is little hope of achieving peace in our digital world. | | | |
< < | The question might be framed in terms of how to have a more peaceful net in which crime, as well as interstate spying and offensive destruction, are harder to commit, not more violently "deterred" or retaliated against. A net that respects civil liberties and is designed to reduce commercial surveillance is also more secure and resistant to abuse. That's "cyberpeace," and oddly enough it is preferable to cyberwar. Why don't you try a draft that considers how to crime-proof and de-escalate the Net rather than this Rambo stuff?
| > > | [REVISED AS ABOVE. TOTAL WORD COUNT: 935 WORDS] | |
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. |
|
MuhammadUsmanFirstPaper 2 - 14 Apr 2022 - Main.EbenMoglen
|
|
META TOPICPARENT | name="FirstPaper" |
In the wake of increasing and sophisticated cyber-attacks and the failure of cybersecurity strategies to counter cyber-attacks, the idea of hacking back is being proposed as a solution. This paper explores the legal and ethical issues presented by hacking back. | | Hacking back is far from the ideal response to cyberattacks. Government authorities are much better equipped to respond to cyberattacks and perhaps the work of attacking criminals should be left to professionals who work within the bounds of a legal framework. Options as risky as hacking back are being debated and explored primarily because cybersecurity and law enforcement have not yet caught up with the sophistication of cyberattacks. However, Cyberspace cannot be turned into a survival of the fittest. Perhaps a better route would be a true private-public partnership where both sectors work together and find alternatives to the currently failed cybersecurity strategy. The purpose of this paper is not to outrightly dismiss the proposition of hacking back but to establish the need to fully explore the intricacies and nuances of this strategy before even thinking of implementing it. | |
> > |
I don't understand the point of this draft. "The police are very busy so we're going to let people form private vigilante organizations or conduct personal retaliation" is not an argument. Yet it is the only vague justification offered for presenting the question in this framing. Of course the private contractors who like to wage war for pay under the aegis of US national security would also like to be deputized by the US to charge private companies for the fun of shooting civilians from the back of a van downtown. Yes, their buddies in government who will take jobs with them when they retire occasionally invite them in to explain how to increase the take of the private-war industries. So what?
The question might be framed in terms of how to have a more peaceful net in which crime, as well as interstate spying and offensive destruction, are harder to commit, not more violently "deterred" or retaliated against. A net that respects civil liberties and is designed to reduce commercial surveillance is also more secure and resistant to abuse. That's "cyberpeace," and oddly enough it is preferable to cyberwar. Why don't you try a draft that considers how to crime-proof and de-escalate the Net rather than this Rambo stuff?
| |
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines: |
|
MuhammadUsmanFirstPaper 1 - 20 Mar 2022 - Main.MuhammadUsman
|
|
> > |
META TOPICPARENT | name="FirstPaper" |
In the wake of increasing and sophisticated cyber-attacks and the failure of cybersecurity strategies to counter cyber-attacks, the idea of hacking back is being proposed as a solution. This paper explores the legal and ethical issues presented by hacking back.
The Dilemma of Hacking Back
-- By MuhammadUsman - 20 Mar 2022
For quiet some years now, there have been debates around legalizing private sector hack-back. The concept of hacking back refers to allowing private sector entities to take intrusive cyber action against their attackers. Bills have been passed in the past to legalize hacking back with the most recent one being tabled by U.S Senators Steve Daines and Sheldon Whitehouse. Essentially, the bill requires the Department of Homeland Security to conduct a “study on the potential consequences and benefits of amending section 1030 of title 18, United States Code (commonly known as the “Computer Fraud and Abuse Act”), to allow private entities to take proportional actions in response to unlawful network breach”
This idea of using force to deter or stop crime stems directly from the physical world. The idea of fighting back is nothing new and it is intuitive that if you see a shoplifter in your shop, you will search and frisk the shoplifter and even reach into his pockets. It seems as if society recognizes that some amount of force is sometimes necessary and legal to defend property. However, the right to use reasonable force has not been extended to the cyber world so far. Presently, the CFAA prohibits unauthorized access to a computer which constraints the private sector’s ability of self-defense or ‘hacking-back.’
While eliminating the idea of self-defense in the physical world would seem counterintuitive, complications arise when the concept is applied to the cyber-space. Firstly, it is extremely difficult to attribute a certain attack to a specific individual or organization as modern technologies allow cybercriminals to use deceptive techniques. For instance, while in the physical world you may see a person entering into your house, a cybercriminal may simply use botnets which will misdirect the identity of the actual criminal. Using botnets is just one example but the digital world allows pretty much anything to be spoofed. In today’s cyber world, numerous organizations have their systems compromised in malicious attacks. If any such compromised system of an organization is used to attack a third organization and the third organization then uses the option of hacking-back to neutralize the threat, this will revictimize the already affected organization. Cybercriminals are constantly evolving their techniques which makes it extremely difficult to pin-point and discover the cybercriminal.
In addition, the potential of causing collateral damage while hacking-back is enormous. Like the physical world, the cyber world does not operate within clearly chalked-out boundaries. If hacking-back is allowed, it will create a situation which will be similar to private citizens standing at their fences shooting bullets aimlessly and hoping to eventually hit the actual criminal. Furthermore, the effectiveness of hacking back is also questionable. Even if the stolen data is located, it is improbable that deleting that data will provide any security because there is absolutely no way of finding out if any copies of the data were made. It can also be foreseen that hacking back might make the hacker determined to further hack you and damage your system and lead to a cyber-war that could be detrimental to the organization's survival. The example of Blue Security illustrates this point, which had to shut down because the angry spammer decided to fight back. The situation further complicates in cross-border cybercrimes where cyberattacks can be seen as acts of war.
There are also a number of legal and administrative questions that remain unanswered. For instance, if an organization harms a third-party during hacking-back, who will bear the consequences? Who will decide what actions are legal and proportional and what are the parameters to determine the types of targets that can be pursued. Hence, there is a risk that private companies might launch intrusive attacks without clear evidence and may also end up inflicting disproportionate punishments.
On the other hand, it is argued that government agencies and even the FBI are already overwhelmed by an onslaught of cyberattacks and legalizing hack back might deter cybercriminals to a certain extent. It can also be argued that with the availability of this option, cybercriminals could be held accountable to a certain degree as most of them go unpunished today. However, it is unlikely that hacking back will deter ideological hackers who are not motivated by profits or costs. It is also unlikely that taking intrusive actions will remedy the harms or wrongs committed by the initial attack. The entire concept of hacking back is still in its nascent stages. If the private sector is allowed to carry out activities such as hacking back without any significant oversight mechanisms and without deliberating upon the conditions on which hacking back may work, it would be a recipe for disaster and will create more harms then benefits.
Hacking back is far from the ideal response to cyberattacks. Government authorities are much better equipped to respond to cyberattacks and perhaps the work of attacking criminals should be left to professionals who work within the bounds of a legal framework. Options as risky as hacking back are being debated and explored primarily because cybersecurity and law enforcement have not yet caught up with the sophistication of cyberattacks. However, Cyberspace cannot be turned into a survival of the fittest. Perhaps a better route would be a true private-public partnership where both sectors work together and find alternatives to the currently failed cybersecurity strategy. The purpose of this paper is not to outrightly dismiss the proposition of hacking back but to establish the need to fully explore the intricacies and nuances of this strategy before even thinking of implementing it.
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list. |
|
|
|
This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|