Is it Whack to Hack Back a Persistent Attack?

The title of this blog post is from our 2013 RSA Conference panel presentation on the ethics and business of “hack back”, a stage we shared with CrowdStrike and Trend Micro.

It was based on 2012 presentations we had been giving to explain an ethical business model for hack back, based on setting international precedent and trial: a working legal framework for self-defense using information technology.

We had a fairly large turn out those years, and I’ll never forget CrowdStrike’s founder demanding that no recordings be allowed for our panel.

He wanted no press coverage.

I found that highly annoying because the WHOLE point of our efforts at the time was to raise awareness to bring MORE scrutiny, transparency and therefore ethics into the market.

And then CrowdStrike basically took a $50m self-loan and went on to becoming yet another American Anti-Virus company with ties to the FBI, moving the dial not an inch.

Fast forward and I’m here today to say the sad news from the NSA didn’t have to turn out this way.

David Evenden was hired in 2014 to work in Abu Dhabi on a defensive cybersecurity project, only to discover it was actually an offensive spy operation for a United Arab Emirates intelligence service.

Obviously things really took off around this time Evenden mentions.

I gave several talks after 2013 where I implored people to understand that “hack back” was very active even if people continued trying to keep it secretive.

Why so secretive? One reason obviously is entrapment of those recruited to do the technical work.

Once in Abu Dhabi, Evenden realized he had been deceived and that he and colleagues had actually been recruited to perform offensive hacking operations and surveillance on behalf of the UAE’s National Electronic Security Authority, or NESA (the UAE’s equivalent of the NSA).

The deception didn’t initially concern Evenden, however, because the work was primarily focused on conducting surveillance against would-be terrorist targets.

Ugh. Deception is a very loaded word here.

This is a text-book example of exactly what in 2013 we were working so hard on to avoid. Even if Evenden is lying, he can do so on the basis that deception is very easy when there’s zero transparency built in the system.

Evenden goes on to say literally the exact thing we discussed in our panel of 2013, which as I said was censored by CrowdStrike.

I’m an American and I want to target something overseas. What’s going to happen to me? Nothing. Almost nothing. We just proved that…

Even in 2017 I was on a panel at BSidesLV called “Baby got hack back” where I implored people again to consider how much of it was going on already without transparency or accountability.

It wasn’t a hypothetical for me in 2012. It certainly wasn’t in the news enough in 2017 (there was an audible gasp from my audiences) yet should have been.

Even if these stories would have been published sooner, more importantly an opportunity was missed to run and test far better guidelines for the market to reduce deception and confusion about legal hack back.

So I guess the point here is that this “proof” story is a decade after we very clearly said it’s a viable business plan, with activities mostly obscured and hidden from view, such that it needed open discussion already to avoid errors (e.g. criminal charges).

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.