Discussions continue on “hack back”

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the ministerÔÇÖs office on this subject resulting in a decision by Public Safety Canada on January 16, 2013 to reject the recommendations.┬á This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.┬á Alana Maurushat, the author of the report wrote, ÔÇ£no surprise that there is no inclination to take up recommendationsÔǪthese things often take decades of slow changes.ÔÇØ┬á The past year of discussion will increase awareness of the hack back initiative and I will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.

Hack Back: Eye for an eye in cyberspace

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want to hack them back; take them out of the game and cease this never-ending battery of my systems.  This is especially tempting following a data breach.  Despite this temptation, most restrain themselves because of laws that prohibit the use of computer programs and systems to attack others such.  However, increases in damages and loss due to computer hacking has caused some to question this restraint.

At the 2012 RSA conference, Paul Asadoorian and John Strand proposed fighting back by frustrating hackers with systems that waste their time, tracking attackers, and then disabling them.    Unfortunately, many times attackers use other systems to perpetrate their attacks so the act of disabling their systems could take down a company that has no knowledge of the attack.

Some argue that since the systems used by attackers are vulnerable, they are contributing to the problem and that disabling those systems is simply part of the overall solution to make us safe.  The loss of availability for one company is a benefit to the community.

So far these arguments have focused on reacting to an attack but Symantec proposed taking it a step further in their article Malicious Malware: attacking the attackers.  They suggested stopping attackers before they issue an attack.  Some methods including distributing hacker tools that track the attacker to taking control of hacker botnets would put the hackers on the defensive.

There are people on both sides of the fence such some such as John Pescatore, head of GartnerÔÇÖs Internet security practice and former NSA and Secret Service agent, doubting whether it can really help.┬á Pescatore says ÔÇ£There is no business case for it and no positive outcome.ÔÇØ┬á Others like cyberwar researcher Sandro Gaycken, believe that governments who have the sanction to attack back, have not been doing enough.┬á He believes hacking back can help and that it is justified.┬á ┬áGaycken says, “Vigilantism could seem justified. ItÔÇÖs that way with self-defense: if the state is not there, and IÔÇÖm attacked, I can hit back.”

In response to concerns about legality, Asadoorian and Strand recommended modifying system banners and warnings to include a statement that by accessing this system you agree that information such as location would be collected on those and that your system will be subject to a security check.  In this way, attackers would be allowing you to collect information on them and to run tools to analyze their systems.  However, attackers are not authorized to make such a decision on behalf of those whose systems he or she has compromised so statements like this may be of little value.

The debate is going on right now with serious cyber security discussions on whether hacking back should be officially allowed in the United States.  What are your thoughts?