Businesses and individuals are getting fed up with always being one step behind cyber criminals and constantly playing defense. In an attempt to be more proactive and shift the dynamic, some security experts are now advocating active countermeasures—basically attacking the attackers. While getting revenge has a nice ring to it, becoming an attacker raises a number of ethical issues.
Bruce Heiman, a partner with K&L Gates LLP, presented a session at the 2014 RSA Security Conference titled “Cyber Vigilante or Self Defense?” Heiman discussed the challenges facing businesses and consumers and the moral and ethical dilemma of turning the tables on the attackers.
The session began by claiming there are only two kinds of companies—those that have been hacked, and those that have been hacked but don’t yet realize it. Heiman pointed out that the odds greatly favor the attacker because a target must defend against all possible exploits and attack vectors, whereas the attacker only has to find one weakness to compromise your system.
The traditional defenses involve prevention, mitigation, and collaboration. We use firewalls and antimalware software in an attempt to block threats, we respond to security incidents and attempt to minimize the damage and return to normal operations, and in some cases, we involve outside security vendors or law enforcement to help with a forensic investigation to determine how the attacker got in. The problem is that the entire model is reactive and always gives the attackers the first move.
Should companies or individuals have a right to employ active countermeasures—to hack back at the attackers? The first part of the ethical dilemma is attribution. Before you can even consider using active countermeasures to attack the attacker, you have to be absolutely certain, beyond a reasonable doubt, that you have the right target. If an attacker uses a compromised system or other means of obfuscating the true source of the attack, there is a very real risk that you could “hack back” at the wrong system—making you just as guilty as the attacker you’re trying to attack.
One approach is to use more of a honeypot or flypaper approach. You can embed code in files or documents and leave them where attackers will find them. When the attacker opens the file, it can gather information about the system like IP address and other relevant information, capture screenshots and keystrokes, or even activate a webcam to take a picture of the would-be thief. With this method, the attacker is guilty of accessing files he shouldn’t be and is, in essence, attacking himself.
Legally speaking, though, this sort of cyber vigilantism crosses the line. The Federal Computer Fraud and Abuse Act (CFAA), and other state and international regulations prohibit unauthorized access, so executing code on the attacker’s system makes you the bad guy. It is more of a gray area, though, when you’re talking about self-defense. As long as your intent is to guard your own computer or data, you most likely won’t get in trouble, but it’s still a possibility.
Once you cross that line, you also invite potential retaliation and retribution from the attackers. Your active countermeasures attack may result in a more malicious attack against you and another counterattack from you—escalating the battle to a whole new level you may not be prepared for.