This is Part I in a series of articles on hacking back or aggressive cyber defense. The questions I would like to explore, and ask for comments on are whether hacking back in self-defense is legal or illegal; ethical or unethical; should be pursued with clearly defined parameters or in a wild west manner, and more?
If you have read my article, “Hacking Back In Self-Defense: Is It Legal; Should It Be?,” you are aware that I believe hacking back in self-defense, in certain circumstances, is legal.
When I lecture on this topic though, I get at least one person in the crowd who is adamantly opposed and claims it is it illegal. Usually when their argument is analyzed it comes down to an ethical argument rather than a legal one.
So, in addition to the questions I have posed above, I ask one additional one: if your system has been compromised and is being used to attack my network or computers, do I have the right to hack back or aggressively defend my network against your attacking system, even if it means my defense may disrupt your computer or network?
Please provide comments below and I will continue in a few days.
This is a good question, I think you do have the right to defend your computer and systems from an attack. The concerns I have is ensuring that the attacker is indeed correctly identified (don’t want to falsely accuse someone else) and to what extent the counter-attack would be. Ideally, it would be just enough to stop the attack but sometimes it may be even more damaging. There are many areas where the situation could turn badly where both sides may be entirely inoperable. Also, for law enforcement there may be trouble in determining who started what and the events that took place. There would have to be very good detailed accounts and logging so that you can defend yourself legally if you are found guilty of some cyber crimes.
I agree with Adam and I also want to ask about who gets to define “attacking system”. Is surveillance an attack? Port scans have been ruled legal, right, so that’s not an attack? When does it cross the line. My friend used to say the supreme court ruled that your right to swing your fist ends at the tip of my nose. What does that look like in packets?
Both very good comments and questions. So, consider this. Most who are older than 30 or who have been in computers or security for a while might automatically think of a hacker as one person bouncing through networks. Not true any more, correct? It is mostly automated. Hackers send out code that does all the work. Much of the Internet and its communications are now automated. The laws, when written, focused on the hacker gaining unauthorized access. This is difficult to define now. Are cookies, spam, adware, other scripts needed for webpages to work considered unauthorized access? With the exception of canned spam, no, not under the law. So, is sending code back on a bot to disable it at its command and control server unauthorized access? I would argue no. As to where the line exists: very gray at this point.