Is it wrong to hack back - to counter-cyber-attack when you’ve become a victim?
The presumed answer is yes. In the US alone, the Department of Justice calls hacking back “likely illegal”; the Federal Bureau of Investigation “cautions” victims against it; and White House officials call it “a terrible idea.”
But none has clearly declared it illegal. The law has not caught up with technology here - whether in the US or other geographies - and we don’t have a test-case in court yet. In the meantime, we can look toward ethics for guidance, which surprisingly might permit hacking back.
If cyber-attacks are a law enforcement issue, the usual solution is to let the authorities handle it. They’d work to capture the suspects, put them on trial, and punish them if found guilty. To circumvent this process seems to be vigilantism, which threatens the rule of law and therefore civil society’s foundation.
But when cyber-attackers continue to elude identification - forget about capture and prosecution - does it still make sense to defer to the authorities? Help is not on the way. For instance, the FBI said this about ransomware, or malicious software that locks down a user’s system until money is extorted. “To be honest, we often advise people to just pay the ransom," they said.
If the wheels of justice are systematically stuck, then it may not be vigilantism to take action against your attacker. Part of our social contract to create and abide by government is to give up our natural powers to take justice into our own hands, in exchange for a more reliable and fair legal system. Arguably, our obligation to defer to law enforcement is suspended, on this particular issue of cyber-attacks, if they can’t uphold their end of the bargain.
Anyway, your right to self-defense is basic and does not go away, even when help is on the way. In a home robbery, for example, it’d be reasonable to defend your family while waiting for the police, since a lot can happen in the several minutes in between.
But what if you can’t identify the attacker? What if he’s really an innocent person who accidentally stumbled into your house or was co-erced? This is a popular concern; hacking back might target innocent people, since attribution or identification is so difficult.
For instance, in a distributed denial of service or DDoS attack, if you knock out the computers that were unwittingly hijacked and used to swarm against your system, are you attacking “innocent” computers, and is that bad? Their owners aren’t malicious and didn’t agree to this use, though they may be negligent in not updating anti-malware defenses.
Well, we don’t need to establish guilt before we can act against an urgent threat, or else it’d always be too late. All that we need to know, at that moment, is that the person is a threat to others, culpability aside.
Even the police aren’t expected to ascertain an attacker’s identity and motives before using force. A bank robber or suicide bomber could really be a co-erced victim himself, whose kidnapped family would be killed if he did not carry out the crime or terrorist act. Yes, it’d be regrettable to use force against innocent people, but sometimes even lethal force is justified and reasonable.
Another worry with hacking back is that it may escalate a conflict: it may invite retaliations, further mayhem, and collateral damage. But this is too broad an objection, as any case of self-defense could be accused of the same provocation. This seems to be victim-blaming, similar to faulting a mugging or rape victim for additional injuries sustained as a result of fighting back.
Critics also worry that hacking back may destroy evidence needed for prosecution of the initial attack. Putting aside a lack of reliable prosecution against cyber-attackers in the first place, this objection also could be victim-blaming: it’s reasonable to resist a mugging, rape, or other criminal acts, even if that might destroy evidence of the crime.
This ethical analysis is just a sampling of a bigger discussion we just published in a new report. Even if we look at cyber-attacks as a military problem (since many attacks come from overseas) or public health problem (like fighting against a virus outbreak), there could be other reasons to think that hacking back is ethical.
If so, the next step is to take another look at the legality of hacking back, as both law and ethics may have been prejudged hastily on this subject. At a time when we need more options when responding to cyber threats, and when we’re still grappling with the cyber domain conceptually, it may be premature to take any reasonable options off the table.