In February of this year I announced at RSA SF, in my presentation on breach data and trends, that this year will mark a new era of legitimate and legal hack-back services. There is no question that self-defence has been in practice for many years and companies have provided hack-back services, but they tended to be clandestine operations that tried to avoid scrutiny under the law. The FBI certainly frowns upon it. This difference now is that more entities are willing to step forward and confirm their information security self-defense includes an active component. It has become overt and is on its way to becoming legal.
I mentioned the other day that the IDF had publicly announced they reserve the right to attack, presumably under the principle of self-defense. Germany has recently moved to say they also reserve this right.
To put the German announcement in perspective, consider the conclusion to a story from 2009 in Der Spiegel called National Defense in Cyberspace
…the uniformed hackers at Rheinbach [Department of Information and Computer Network Operations] are battling a particularly treacherous adversary: German criminal law, which has banned the preparation of computer sabotage since 2007. If the German cyber warriors did in fact launch test attacks on outside networks they would, strictly speaking, be breaking the law. The penalty for serious computer sabotage is a prison sentence of up to ten years
That battle is apparently winding down as the German military today openly admits to offensive preparation/capability and now is debating logistics and ethics of implementation.
Although the German admission is not a huge surprise – most countries are assumed to have cyber-offensive capabilities – the clear declaration that the CNO has an attack role has reportedly caused controversy among the country’s legislators.
The ambiguities are legion. Does the military have the legal or constitutional authority to launch cyber-attacks against third parties without the approval of Parliament and if so under what circumstances?
There is a subtle difference between the investigative/surveillance and the hack back debates. The authorities now are looking for support and permission to move beyond collecting information and into active defense or attack position intended to cause damage (e.g. shutdown a server). The surveillance debate paved the way, in terms of the right to alter a system without owner consent, but it usually stopped short of allowing damage.
Reports, such as this 2007 one from Austria, said police were given the legal green light for surveillance.
The Austrian Police has become the latest European agency to express its intention to use specially-crafted Trojans to remotely monitor criminal suspects.
According to reports in Austrian media, the minister of justice Maria Berger, and Interior Minister Gunther Plater, have drafted a proposal that will be amended by legal experts and the cabinet with the intention of allowing police to carry out such surveillance legally with a judge’s warrant.
And I assure you the private-sector was already doing this years before the government because it was able to move ahead without the scrutiny of public approval. I certainly was working on similar engagements long before 2007.
The good news is that public requests for the capability means public review on appropriate/ethical use. The bad news is that at least some pushing for surveillance capability seem to be unaware that their new attack tools are not fail-safe and require careful management. Once you are into surveillance you have a very fine line separating you from hack back. Just like a weapon can backfire or cause unintentional harm when not properly handled, a German offcial carelessly handed over control of malware to an adversary.
Der Mann hatte seiner Tochter einen Trojaner auf den Rechner gespielt, um ihr Treiben im Internet zu überwachen. Die Tochter hatte allerdings einen Freund aus der Hackerszene, dem die Spionage auffiel.
Um es dem neugierigen Vater heimzuzahlen, drang der Hacker in dessen Computer ein. Dort sah er, dass der Polizist dienstliche Mails an seinen Privatrechner umgeleitet hatte. Das ebnete dem Hacker den Weg ins Innere der Bundespolizei. Als Folge des Angriffs musste der “Patras”-Server abgeschaltet werden, über den die Polizei Verdächtige observiert.
So hack back is here and clearly is being approved, surfacing some interesting issues of trust, ethics and liability. This German case is a perfect example. The german quote above points out that an authority was moving sensitive data from the government to his personal systems (fail) he was using government tools/technology (e.g. malware) for personal use (fail) and he was unable to control who had access to his personal systems (fail). These types of problems with state/group/self defense are old but the discussion is now in the open about who should be authorized to hack back, when it is allowed, and their liability for collateral damage. It brings to mind a slight modification of an old quote “if you criminalize malware possession, only criminals will possess malware”.
