Is there such an acceptable for taking responsibility for lawful offense, given the current cybersecurity landscape and potential issues which have been going on for years, silently in the background?
Do we need to have a set of ethics as to what is acceptable vs non acceptance?
What are your thoughts?
In my mind, "offensive" measures can at times be perfectly reasonable. The big requirement is guardrails, such as operating within the bounds of ethics, the law and ensuring sufficient judicial oversight.
A few examples of ones I feel appropriate:
Another scenario is when I hire a red-team to attack my own company, complete with the appropriate contractual arrangements to guide and protect the red-team.
That said, I completely agree that vigilante ("attack me, I attack back") strategies should not be tolerated on the Internet any more than they are in real life.
@Edwin_CybSecGuyWell that states it all: For example under the ITU Radio communications rules, only China and Russia have the right to use certain frequencies within the international agreed frequency spectrum for defense purposes. So they use wide bandwidth spectrums, completely disrupting other traffic that flows using the High Frequency bands. They have published right.
So stating that only Government have the rights to Lawful Offenses, establishes that certain nations outwardly attack other nations for espionage and commercial IP purposes such as China, North Korea and Russia. however, when you look closer, almost every nation is either protecting themselves or have offensive countermeasures to return the favour to the attack host nation even if they use proxies and then claim it was not them. This is a state nation gamification, where the attackers have high stakes, tonnes of investment and are prepared to keep smiling whilst pretending it was not them who did the attacking.
I'll absolutely agree that vigilantism is a terrible idea.
However, we are currently in the wild west until a formal offensive government "police force" gets established. Your examples of Microsoft getting "court orders" to execute those offensive attacks are nice, but keep in mind that no court actually has the power to authorize use of force, of any kind, except as prescribed by law.
These regional attempts at creating an offensive authorization scheme lack the sort of coordination we want to see from someone like the FBI/CIA/NSA/etc. who can coordinate information and ensure that regional efforts aren't affecting larger investigative efforts.
Under the law, it is important to remember that you always have a right to protect yourself, however, it is unclear to what extent that right extends to the digital realm. In the physical realm, for instance, in defense of property you are not allowed to use deadly or overwhelming force. "Non-deadly force can be used to protect property that is in the defendant’s lawful possession if the force that the defendant uses reasonably appears to be necessary to prevent or terminate an unlawful intrusion onto, or interference with, that property. See People v. Payne, 8 Cal. 341 (1857)."
I would expect that you would need to be prepared to defend your (your company's) actions as "reasonably necessary." However, you need to do a risk analysis with your legal team before any such actions as there is an element of uncertainty when applying new technologies anyway and then you always have your baseline uncertainty about what might be considered "reasonable" at trial.
Should we have a "code of ethics" established for such actions? Absolutely. Until we can agree, as a profession, there's nothing we can point to as a reasonable standard in court. The primary thing judges like to see in a "reasonability test" is what a plurality of industry professionals agree is reasonable.
Scambaiting is getting pretty popular and there are several online personalities who have gained significant followings via their Youtube channels.
Using "offensive" techniques to do something such as red teaming your org is completely different from "offensive" actions at a nation-state level. We SHOULD/MUST NOT mix/blur the two.
Right now, the Russians ("allegedly") are in the middle of conducting offensive cyber/information operations against the Ukraine to support their physical operations vis-à-vis their larger plan of potentially invading the Ukraine. The activities in which they are engaged are offensive. Those same activities can, but should not, be compared to Microsoft or any other company engaging in legal take-downs. These are two completely different types of offensive actions.
N.Koreans hacking to steal crypto to collect monies in an effort to avoid international sanctions and gain access to hard currency is not in the same league as Israeli firm, NSO Group, developing and selling powerful, nation-state level, hacking and surveillance software, but given their background, NSO has NO LEGITMATE REASON to be operating as an international business. There is nothing "responsible" in the selling of their software on a global basis. Yet, in this case, the two groups of actors run at the same level and are playing on the same field.
We will likely never be able to put the digital "offensive" genie back in it's bottle, but just because nations engage in such activities against each other does not mean that businesses and non-governmental actors should attempt to engage in these actions.
Hi @Edwin_CybSecGuy I very thoughtful set of comments. I agree, however this is fast becoming the normal behaviour as we are witnessing on the world stage at the present time.
However, given there are humans on the end of the keyboard, whether they are proxies being paid by the host nation or not, they are making deliberate decisions whilst directed from the responsible regime, we cannot name or pin point at the present time. It does point to a behaviour, in terms of bashing down the defensive protection i.e. critical infrastructure or cause financial mayhem prior to an attack taking place.
The most ethical and responsible nations must take a more positive stance, because in the not to far future, these attacks may be automatically directed by "Remote Processing Analytics" or RPA or even by Augmented Intelligence acting upon decisions based on risks controlled by remote entities.
So the call for appropriate morals, and ethics are certainly very important right now whether it is human directed and guided or automated and orchestrated due to AI. We certainly need to think very carefully what changes need to be put in place, to reduce the likelihood of these actions becoming WWIII rather than a carefully controlled Nuclear war.
What are other people's thoughts on this current situation? Are we prepared to deal with the fall out?
What would you feel or say if your own son's and daughters were drafted into a useless and senseless conflict directed by humans or by machines influenced by bad ethics and programming?
How do you address espionage, 'cyber', physical, network or database given that any and all are universally considered illegal when conducted against the victim? This is very much a 'you cannot have your cake and eat it too' type of argument.
I would also point to the Department of Justice's recent formal guidance on security research and its implications under the CFAA. https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/ Had this been published a decade ago we would still have a notable few who succumbed to suicide rather than face the DoJ's wraith.
Its more complicated than simply saying the equivalent of 'Just say no (to drugs)!'
Good luck with that!
@ArnoldA Thank you for the statement. Unfortunately many attempt successfully to bypass these definitions by citing altruistic terms and associated meanings and the world just looks on without teeth.