topic Re: Is there such a thing as responsible Lawful Offense? in Governance, Risk, Compliance

Is there such a thing as responsible Lawful Offense?

Caute_cautim — Mon, 09 Oct 2023 09:57:55 GMT

All

Is there such an acceptable for taking responsibility for lawful offense, given the current cybersecurity landscape and potential issues which have been going on for years, silently in the background?

Do we need to have a set of ethics as to what is acceptable vs non acceptance?

What are your thoughts?

https://www.lawfareblog.com/responsible-cyber-offense

Regards

Caute_Cautim

Re: Is there such a thing as responsible Lawful Offense?

Edwin_CybSecGuy — Tue, 02 Nov 2021 12:30:40 GMT

Unless you are a Government, there is no such thing as "Lawful Offense". Let's not even try to address "responsible".

No organization/entity has the right to use offensive measures in cyberspace -- period. That governments engage in it is bad enough. That we prosecute individuals is clear. Why should a business or other organization be allowed to do something that we prosecute individuals for?

Re: Is there such a thing as responsible Lawful Offense?

denbesten — Tue, 02 Nov 2021 19:57:21 GMT

In my mind, "offensive" measures can at times be perfectly reasonable. The big requirement is guardrails, such as operating within the bounds of ethics, the law and ensuring sufficient judicial oversight.

A few examples of ones I feel appropriate:

Another scenario is when I hire a red-team to attack my own company, complete with the appropriate contractual arrangements to guide and protect the red-team.

That said, I completely agree that vigilante ("attack me, I attack back") strategies should not be tolerated on the Internet any more than they are in real life.

Re: Is there such a thing as responsible Lawful Offense?

Caute_cautim — Tue, 02 Nov 2021 20:03:12 GMT

@Edwin_CybSecGuyWell that states it all: For example under the ITU Radio communications rules, only China and Russia have the right to use certain frequencies within the international agreed frequency spectrum for defense purposes. So they use wide bandwidth spectrums, completely disrupting other traffic that flows using the High Frequency bands. They have published right.

So stating that only Government have the rights to Lawful Offenses, establishes that certain nations outwardly attack other nations for espionage and commercial IP purposes such as China, North Korea and Russia. however, when you look closer, almost every nation is either protecting themselves or have offensive countermeasures to return the favour to the attack host nation even if they use proxies and then claim it was not them. This is a state nation gamification, where the attackers have high stakes, tonnes of investment and are prepared to keep smiling whilst pretending it was not them who did the attacking.

Regards

Caute_Cautim

Re: Is there such a thing as responsible Lawful Offense?

noel — Thu, 06 Jan 2022 17:03:01 GMT

I'll absolutely agree that vigilantism is a terrible idea.

However, we are currently in the wild west until a formal offensive government "police force" gets established. Your examples of Microsoft getting "court orders" to execute those offensive attacks are nice, but keep in mind that no court actually has the power to authorize use of force, of any kind, except as prescribed by law.

These regional attempts at creating an offensive authorization scheme lack the sort of coordination we want to see from someone like the FBI/CIA/NSA/etc. who can coordinate information and ensure that regional efforts aren't affecting larger investigative efforts.

Under the law, it is important to remember that you always have a right to protect yourself, however, it is unclear to what extent that right extends to the digital realm. In the physical realm, for instance, in defense of property you are not allowed to use deadly or overwhelming force. "Non-deadly force can be used to protect property that is in the defendant’s lawful possession if the force that the defendant uses reasonably appears to be necessary to prevent or terminate an unlawful intrusion onto, or interference with, that property. See People v. Payne, 8 Cal. 341 (1857)."

I would expect that you would need to be prepared to defend your (your company's) actions as "reasonably necessary." However, you need to do a risk analysis with your legal team before any such actions as there is an element of uncertainty when applying new technologies anyway and then you always have your baseline uncertainty about what might be considered "reasonable" at trial.

Should we have a "code of ethics" established for such actions? Absolutely. Until we can agree, as a profession, there's nothing we can point to as a reasonable standard in court. The primary thing judges like to see in a "reasonability test" is what a plurality of industry professionals agree is reasonable.

Re: Is there such a thing as responsible Lawful Offense?

nathanielsoo — Thu, 20 Jan 2022 04:05:37 GMT

Scambaiting is getting pretty popular and there are several online personalities who have gained significant followings via their Youtube channels.

Lawful? Questionable.

https://scambusters.org/revenge.html

Re: Is there such a thing as responsible Lawful Offense?

Edwin_CybSecGuy — Sun, 20 Feb 2022 14:24:00 GMT

Using "offensive" techniques to do something such as red teaming your org is completely different from "offensive" actions at a nation-state level. We SHOULD/MUST NOT mix/blur the two.

Right now, the Russians ("allegedly") are in the middle of conducting offensive cyber/information operations against the Ukraine to support their physical operations vis-à-vis their larger plan of potentially invading the Ukraine. The activities in which they are engaged are offensive. Those same activities can, but should not, be compared to Microsoft or any other company engaging in legal take-downs. These are two completely different types of offensive actions.

N.Koreans hacking to steal crypto to collect monies in an effort to avoid international sanctions and gain access to hard currency is not in the same league as Israeli firm, NSO Group, developing and selling powerful, nation-state level, hacking and surveillance software, but given their background, NSO has NO LEGITMATE REASON to be operating as an international business. There is nothing "responsible" in the selling of their software on a global basis. Yet, in this case, the two groups of actors run at the same level and are playing on the same field.

We will likely never be able to put the digital "offensive" genie back in it's bottle, but just because nations engage in such activities against each other does not mean that businesses and non-governmental actors should attempt to engage in these actions.

Re: Is there such a thing as responsible Lawful Offense?

Caute_cautim — Tue, 31 May 2022 19:34:22 GMT

Hi @Edwin_CybSecGuy I very thoughtful set of comments. I agree, however this is fast becoming the normal behaviour as we are witnessing on the world stage at the present time.

However, given there are humans on the end of the keyboard, whether they are proxies being paid by the host nation or not, they are making deliberate decisions whilst directed from the responsible regime, we cannot name or pin point at the present time. It does point to a behaviour, in terms of bashing down the defensive protection i.e. critical infrastructure or cause financial mayhem prior to an attack taking place.

The most ethical and responsible nations must take a more positive stance, because in the not to far future, these attacks may be automatically directed by "Remote Processing Analytics" or RPA or even by Augmented Intelligence acting upon decisions based on risks controlled by remote entities.

So the call for appropriate morals, and ethics are certainly very important right now whether it is human directed and guided or automated and orchestrated due to AI. We certainly need to think very carefully what changes need to be put in place, to reduce the likelihood of these actions becoming WWIII rather than a carefully controlled Nuclear war.

What are other people's thoughts on this current situation? Are we prepared to deal with the fall out?

What would you feel or say if your own son's and daughters were drafted into a useless and senseless conflict directed by humans or by machines influenced by bad ethics and programming?

Regards

Caute_Cautim

Re: Is there such a thing as responsible Lawful Offense?

Beads — Thu, 26 May 2022 14:34:15 GMT

How do you address espionage, 'cyber', physical, network or database given that any and all are universally considered illegal when conducted against the victim? This is very much a 'you cannot have your cake and eat it too' type of argument.

I would also point to the Department of Justice's recent formal guidance on security research and its implications under the CFAA. https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/ Had this been published a decade ago we would still have a notable few who succumbed to suicide rather than face the DoJ's wraith.

Its more complicated than simply saying the equivalent of 'Just say no (to drugs)!'

Good luck with that!

- B/Eads

Re: Is there such a thing as responsible Lawful Offense?

Caute_cautim — Tue, 31 May 2022 19:37:35 GMT

@ArnoldA Thank you for the statement. Unfortunately many attempt successfully to bypass these definitions by citing altruistic terms and associated meanings and the world just looks on without teeth.

Regards

Caute_Cautim

Re: Is there such a thing as responsible Lawful Offense?

meltone — Thu, 02 Jun 2022 22:18:09 GMT

No, only law enforcement or nation states are equipped to handle the potential issues with taking offensive actions. We need better tools to engage the proper authorities to take action.

Re: Is there such a thing as responsible Lawful Offense?

wimremes — Mon, 25 Jul 2022 08:57:04 GMT

I can only point to the ISC2 Code of Ethics, in which Canon II says the following:

"Act honorably, honestly, justly, responsibly, and legally."

The order of the words here matters greatly and was carefully considered when drafting the CoE. To be ethical, an action by a professional does not need to be legal. If the professional has considered whether the act is honorable, honest, just, and/or responsible, it can be perfectly ethical while being completely illegal.

I do not think that we need more than Canon II to cover the debated scenarios. I also seriously doubt that this will become an issue outside of government business any time soon. I don't see the US government handing out the digital equivalent of letters of marque any time soon.

Re: Is there such a thing as responsible Lawful Offense?

shavonne64 — Tue, 17 Jan 2023 05:08:05 GMT

Hello

Very serious issue you have selected here, as you said it depend on

the choice is whether and how to engage in them responsibly and minimize cost to societies. Unless you are a Government, there is no such thing as "Lawful Offense". Let's not even try to address "responsible".

Re: Is there such a thing as responsible Lawful Offense?

Caute_cautim — Thu, 19 Jan 2023 04:39:38 GMT

Hi @Judyblanks don't ever say never, there are policies from nations circulating these days, who are contemplating retaliation against other nations, should they be attacked etc.

It is becoming legitimate through nation policies.

Regards

Caute_Cautim

Re: Is there such a thing as responsible Lawful Offense?

leefarrellhelps — Fri, 02 Aug 2024 17:54:22 GMT

The concept of taking responsibility for lawful offense in cybersecurity is complex and evolving. As the field grows, establishing clear ethical guidelines is essential to differentiate between acceptable and unacceptable practices. Responsible behavior should focus on transparency, adherence to legal standards, and consideration of the broader impact on society. Developing and following a strong ethical framework can help navigate these challenges and ensure that actions taken are both legal and morally sound.