On Thursday, June 17th, the CEO of Tehtri-Security, Laurent Oudot presented “Striking Back Web Attackers” at the SyScan security conference in the Republic of Singapore. The lecture outlined methods for exploiting 13 vulnerabilities found in various malware ‘Command and Control’ servers, used by criminals to coordinate their illegal data collection efforts over the internet. I heartily applaud Mr Oudot for exposing these mechanisms to ‘bring the war home’ to the hackers, but I am concerned that very few nations currently proffer an adequate legal infrastructure to support their use. In fact, in most countries around the world, existing laws actually discourage both citizens and law-enforcement from striking cyber criminals in this way. At present, some countries even view possession of such counter-attack resources as a crime – classifying them as hacking tools.
The core of the problem rests with the definition of ‘self defense’ in cyberspace. In the physical world, if someone enters your home and steals your possessions, it is generally considered inappropriately dangerous for you to attempt to identify and apprehend the thief once they have left your premises. You can shoot the thief if you catch them in the act, but try to track them down on your own after they have gone and you become a vigilante –a potential danger to the public as great as the person who invaded your home. Thus, your best recourse becomes installing alarms and monitors in your home before any crime is committed against you, to protect against the event of an intrusion.
Things are different in cyberspace though. The thief invading your privacy doesn’t just enter, take, and leave… he breaks in, permanently damages, and plants malware snooping tools that fester and interfere with your life. The thief doesn’t leave DNA, fingerprints, and clothing fibers… she leaves the address of her warehouse – a botnet command and control server. So, if the CEO of SyScan can offer you some effective tools for exposing the ‘warehouse’ or, better yet, shutting it down completely, shouldn’t it be ok for you to prevent the thief from harming you further? If the criminal’s attack is an ongoing thing, shouldn’t your counter-attack be considered self-defense and not vigilantism?
There are many ‘sticky’ nuances that need to be addressed when defining laws for cyberspace. Currently, the posture of existing legislation inadvertently offers protections for the criminals while providing recourse for law enforcement. Cyberspace law is in its infancy and lawmakers in the U.S. and around the world are being cautious. But the tactics and tools for attack and defense in cyberspace are very different from those of the physical world. Laws regulating the conduct of law enforcement and private citizens need be updated to allow for appropriate counter-offensive actions.
Posts
