With each day's dawning, come new cyber attacks. No one is immune from these attacks; national governments, corporations and individuals are all vulnerable to these attacks and they seem to be accelerating as our world becomes increasingly dependent upon digital means of functioning. In a era where nearly every aspect of our lives has a digital component, this shouldn't come as any surprise.
Despite the fact that our defenses have become increasingly forbidding (next generation firewalls, IDS's, etc.), the number and severity of these attacks continue to increase. Unfortunately, these attacks are likely to continue and accelerate because;
(1) the huge sums of money in involved (estimates range as high as $500B/year in revenue from cyber crime);
(2) this is the way of cyber war and espionage in the 21st century,;
(3) more and more parts of our lives become digital.
Maybe it's time to take a new approach. Within the IT security industry, the subject has been breached in recent years as to the legality and legitimacy of "hacking the hacker" during or after an attack. Some argue that this is the legal equivalent of self-defense. In this article, I would like to explore this concept and legality of "hacking the hacker" as the digital equivalent of self-defense.
The Natural Law of Self-Defense
Probably from very time that humans first aggregated into clans and communities, there has been a recognized natural law of self-defense. In simple terms this law says, "if you attack me or mine, I have the right to defend myself, which may include exacting violence upon you". This natural law has been codified within nearly every culture and legal system around the world. It existed in ancient Rome (in the concept of protecting domus or home) and within the English common law system for centuries. It existed for centuries before being codified, as judges simply recognized the inherent "common sense" in this natural law. England's and the English speaking world's most noted and esteemed legal scholar, William Blackstone, wrote in his Commentaries (1765-1769) ;
Self-defence, therefore, as it is justly called the primary law of nature, so it is not, neither can it be in fact, taken away by the law of society. In the English law particularly it is held an excuse for breaches of the peace, nay even for homicide itself: but care must be taken, that the resistance does not exceed the bounds of mere defence and prevention
William Blackstone, Commentaries
Note that Blackstone says that this is such a "primary law of nature" that it can not be "taken away by the law of society".
Outside the Western world, the principle of self-defense has been recognized as well and in some cases, with much more leniency and leeway. In some cases, the right to self-defense may be limited by the minimum amount of force necessary to stop the crime, but in the People's Republic of China in 2009, a case was ruled as justifiable homicide when a robber was killed who was trying to escape. The court ruled that the homicide was justified as "self defense" because "the robbery was still in progress".
It goes without saying then, I believe, that a right of self-defense is a well established principle in nearly every culture.
Despite the fact that this natural law is recognized nearly universally, it is proscribed by a few principles. These are;
(1) Innocence - one can only invoke self-defense if you are not the attacker.
(2) Imminence - the attack must be imminent or right now. No pre-emptive strikes
(3) Proportionality - the response must be in proportion the attack
(4) Avoidance - the victim has a duty to retreat
(5) Reasonableness - all of this is encompassed by the "reasonable man" rule which the courts use to decide what a reasonable man would do in these circumstances.
The question I want to address here then is, "Can we apply this universal and natural law and principles to our digital world of the 21st century?
The Argument for Digital Self-Defense
Some have argued then that since this natural law is nearly universally recognized, "we can apply it to our digital domains AND it would have a positive effect on the safety and security of our digital domains".
The arguments goes something like this; if the hackers believed that they might be met with an attack upon themselves, they are more likely to be reluctant and hesitant to attack innocent institutions, individuals and governments. Just like in the widely held principle self-defense to your person and property, an attacker has to consider not only how self-defense might impact their probability of success, but also whether self-defense might lead to the exercise of violence and damage upon THEIR person and property. In our physical world, self-defense can lead to the manslaughter of the attacker and the victim will bear no legal liability as such manslaughter justified. In some cases, this might give the attacker pause...at least, once.
Let's try to make this more concrete in our physical world. Take for instance the case of a street thief. They are much less likely to attack a very large, muscular victim who appears possibly armed than an innocent, frail unarmed victim. Why? because of the possibility that THEY might become the victim. This isn't just an estimation of the possibility of success, but also the possibility that they themselves might become damaged in the attack. Couldn't this same principle apply to cyber security as well as the street?
Some would argue that self-defense only applies to stopping the attack, but if the hackers have entered our property and stolen our assets, then the attack is still "in progress", to borrow the words of the Chinese jurist. As such, self-defense would still be a legitimate defense as long as the attackers are in possession of our property.
Application of Self-Defense in Cyber Security
Imagine a scenario in the near future, where our neighborhood cyber crime gang is contemplating an attack upon an innocent institution. They know that that same institution has at its disposal a group of well-armed, "gun-slinging" hackers. That same institution was recently hacked and the self-defense hackers not only responded with their own attack, deleting data on the cyber thieves hard drives, but also then DoS 'ing them so that they could no longer access the Internet. Would they think twice before going after them?
For those of you who are scholars of the history of the American West (or at least the American westerns), you are probably aware that there was time not too long ago, when the American West was a lawless land, often referred to as the "Wild West". If you have seen any American western movies ("Butch Cassidy and the Sundance Kid" among many others of this genre), I think you know what I mean. I don't think it's much of a metaphorical stretch to see our current circumstances in the cyber world as "Wild and Lawless Cyberland" similar to the "Wild West" of the 19th century. At that time, many businesses--most notably the railroads--found it extremely difficult to operate their businesses in such an lawless environment. Eventually, they settled upon a solution, the Pinkertons. The Pinkertons were a private law enforcement agency that the railroads and others hired to secure their assets and operations. Eventually, these Pinkertons were able to drastically reduce crime in the lawless West. Maybe, its time we have the cyber equivalent of the Pinkertons. These "cyber Pinkertons" would discourage hackers from attacking our valuable assets and businesses by launching cyber counter attacks.
Attribution of the Attack
Even if the cyber security industry adopts a concept of "cyber security self-defense" where counter attacks are legitimized, there will still be the key issue of attribution. In other words, who and where are the attackers. If you have ever investigated the attribution of an attack, you know what I am talking about. The hackers/attackers often use proxies between themselves and the victim, so tracing an IP address can be problematic. This in itself may be the greatest impediment to the 'hack the hacker" self-defense.
Throughout human history the concept of self-defense has been a well established principle. In recent centuries, that principle has been codified nearly universally. It's now time, I believe, that this principle be applied in the 21st century cyber battles between hackers and defenders of the some of our most valuable digital assets. When the hacker/attacker can be identified with a high degree of certainty, then we should be able to unleash a counter attack upon them. I'm hoping that some company soon will "hack their hackers" and test the legality and legitimacy of this premise. Only then, will our digital world will become a safer place.