Hacking Back: To Do or Not To Do?
When debating the ethics of responding to a cyberattack by hacking back in retaliation, proportionality and the potential for civil harm are the key factors that must be heavily weighed before a decision is made.
That’s the opinion of two Purdue University researchers who examined various pieces of literature – from laws to war agreements – to help outline ethical frameworks for cyber security defense.
“The Internet is similar to the world’s oceans – no one owns it, and everyone uses it,” said Jim Lerums, one of the researchers. “In the same way it took time to establish Maritime Laws, it will take time for the world to agree on legal and ethical frameworks for the Internet.”
Though many would agree that organizations have a right to protect their networks, the ethically acceptable options are not clear. And when passive defense measures are not enough, entities need to consider whether hacking back, also known as a counter-attack, should be performed.
Originally presented at the IEEE Symposium on Technologies for Homeland Security last year, Lerums and Corey T. Holzer outlined two potential frameworks for approaching the decision of whether to hack back.
The Law Enforcement Approach
Due to the puzzling ethicality and landscape of hacking back, few examples of the private sector performing these counter-attacks can be found. Even still, corporations would likely consider the Law Enforcement Approach if needed.
This approach views hacking attacks as criminal acts, where ethical decisions are based on United States laws, applicable international laws/treatises, and non-binding international standards and guidelines.
The Wiretap Act (1988), the Computer Fraud and Abuse Act (1986), and the Cybersecurity Information Sharing Act of 2015 are all components of U.S. law that authorize companies to deploy cybersecurity counter-measures on their own networks against malicious malware, yet criminalizes computer attacks on others (including counter-attacks).
On the other hand, The International Court of Justice supports the response of cyberattacks if they follow four elements of a lawful counter-measure. These elements include a counter-attack being directed towards those who performed the original cyber act, asking those in the wrong to discontinue the attack, a counter-attack being in proportion with the original act, and the counter-attack being reversible.
With the opposing nature of these laws, it’s quite clear why corporations feel unsettled to initiate counter-attacks.
The Military Style Approach
Similar to the expansion of air and sea in war, the Internet has become the newest warfighting domain in the last decade. Based on this concept, the Military Style Approach considers cyber-attacks as an act of aggression, where military-type responses are acceptable. With this framework, the morality of hacking back is analyzed based on the Law of Armed Conflict (LOAC) – codification of the rules of war – and is used typically among government entities.
To ensure the LOAC is followed, a set of guiding principles – Rules of Engagement and the Escalation of Force – were designed to limit unnecessary force, harm to innocent bystanders, and escalation of violence.
In the example of a cyber counter-attack, passive defense options would be the first step (i.e. plug security holes, warning banners) when following the principles. A next step in escalation could be the employment of forensic measures to identify the source of an attack. If attempts to deescalate the situation fail, then defenders could consider hacking back.
Next Steps: Where to Go From Here?
Going forward, the ethics of the Internet and hacking back will be addressed and debated even more as cyber-attacks become more frequent. As Lerums said, this is yet another set of laws that will take time to enact. Gaining agreement over the right approach, though, will be no easy task.
In February 2017, for example, the Cooperative Cyber Defense Center of Excellence released the Tallinn Manual 2.0, a 642-page manual with the most comprehensive analysis of how existing international laws apply to the cyber space.
The document “is a narrative of the legal landscape as seen through a global lens. It addresses a myriad of legal questions that commonly arise from cyber operations and discusses the current state of international law and how it might apply to different situations,” said Kalev Leetaru, writer for Forbes1. “In many cases, the panel of drafters were unable to reach a consensus, demonstrating the complexities that plague the cyber world.”
Until cyber laws are enacted, corporations and the government will need to stay on their toes when it comes to hacking back.
For more information on hacking back, check IEEE Xplore.