The Risks of a “Hack Back” World … Cyberware!

The first lesson in Cybersecurity is “Ethics”.

The Risks of a “Hack Back” World … Cyberware!

The first lesson in Cybersecurity must be “Law and Ethics”.

Basically …

“Don’t do bad things to people”,

“Report crime when it happens”,

“Don’t disclose private information”,

“Don’t exceed the limits of your authority, without permission”,

“If something is a criminal activity, let law enforcement deal with it, and don’t automatically imply guilt … someone is not-guilty until proven by a court”,

and so on.

But now a bill is being submitted to the US Congress and which wants to create scope for a “hack back” (Active Cyber Defense Bill), and where if you are attacked, you can hack back. I think it perhaps shows a naivety from politicians in both defining what a hack is, and the criminal activity and ethics of “hacking back”. It’s a bit like goading someone in the street, and then getting them to push you, and where you end up assaulting them. In the networking space, even a simple ping can be seen as malicious. Existing laws, such as the Computer Fraud and Abuse Act (CFAA), do not support the hack back method.

Section 3 of the Active Cyber Defense Bill defines the concept of a beacons and where a hacker would copy code which had a tracker in it, and where the code to be traced for its activities. The Bill also defines the details of active cyber defense measures (ACDMs), and where there must be criminal activity involved, and where the target would disrupt the attackers own infrastructure.

Outside the scope is any intentional damage or injury to the attacker. The major safeguard is that an organisation would have to contact a law enforcement agency, and get approval of the attack methods, before they went ahead — and that only “qualified defenders” would be used to perform the “hack back, and that there would have to be a high probability of knowing the actual identity of the attackers.

The worry, though, is that the trigger level of a defined attack is difficult to define, and most attacks are obfuscated in their scope. There would thus be a high chance of false positive attacks, and also attacking the wrong source. This would lead to Cyberware, and where there is a tit-for-tat. In fact the next great war could be started in Cyberspace. Along with this, large corporations such as Google and Facebook, could became the attackers against nation state activity, and again could trigger more serious consequences.

For most, we will see the rise and rise of the Security Operations Centre, and the rise of active defence, where companies detect attacks, and defend against them. The risk of escalation within a tit-for-tat world is too scary to even contemplate.

If you look at logs on servers, you would spend virtually all of your time hacking back, as there is a continual stream of things that look malicious — often generated from botnet activity. Virtually all of the hacks are hidden in their source, and are typically drive through scripted tools.

If this Bill goes ahead, be worried about your future!