cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Is there such a thing as responsible Lawful Offense?

All

 

Is there such an acceptable for taking responsibility for lawful offense, given the current cybersecurity landscape and potential issues which have been going on for years, silently in the background?

 

Do we need to have a set of ethics as to what is acceptable vs non acceptance?

 

What are your thoughts?

 

https://www.lawfareblog.com/responsible-cyber-offense

 

Regards

 

Caute_Cautim

 

Caute_Cautim

14 Replies
Edwin_CybSecGuy
Newcomer I

Unless you are a Government, there is no such thing as "Lawful Offense". Let's not even try to address "responsible".

No organization/entity has the right to use offensive measures in cyberspace -- period. That governments engage in it is bad enough. That we prosecute individuals is clear. Why should a business or other organization be allowed to do something that we prosecute individuals for?
denbesten
Community Champion

In my mind, "offensive" measures can at times be perfectly reasonable. The big requirement is guardrails, such as operating within the bounds of ethics, the law and ensuring sufficient judicial oversight.  

 

A few examples of ones I feel appropriate: 

Another scenario is when I hire a red-team to attack my own company, complete with the appropriate contractual arrangements to guide and protect the red-team.  

 

That said, I completely agree that vigilante ("attack me, I attack back") strategies should not be tolerated on the Internet any more than they are in real life.

Caute_cautim
Community Champion

@Edwin_CybSecGuyWell that states it all:  For example under the ITU Radio communications rules, only China and Russia have the right to use certain frequencies within the international agreed frequency spectrum for defense purposes.  So they use wide bandwidth spectrums, completely disrupting other traffic that flows using the High Frequency bands.  They have published right.

 

So stating that only Government have the rights to Lawful Offenses, establishes that certain nations outwardly attack other nations for espionage and commercial IP purposes such as China, North Korea and Russia.  however, when you look closer, almost every nation is either protecting themselves or have offensive countermeasures to return the favour to the attack host nation even if they use proxies and then claim it was not them.   This is a state nation gamification, where the attackers have high stakes, tonnes of investment and are prepared to keep smiling whilst pretending it was not them who did the attacking.

 

Regards

 

Caute_Cautim

 

noel
Newcomer II

I'll absolutely agree that vigilantism is a terrible idea.

 

However, we are currently in the wild west until a formal offensive government "police force" gets established.  Your examples of Microsoft getting "court orders" to execute those offensive attacks are nice, but keep in mind that no court actually has the power to authorize use of force, of any kind, except as prescribed by law.

 

These regional attempts at creating an offensive authorization scheme lack the sort of coordination we want to see from someone like the FBI/CIA/NSA/etc. who can coordinate information and ensure that regional efforts aren't affecting larger investigative efforts.

 

Under the law, it is important to remember that you always have a right to protect yourself, however, it is unclear to what extent that right extends to the digital realm.  In the physical realm, for instance, in defense of property you are not allowed to use deadly or overwhelming force.  "Non-deadly force can be used to protect property that is in the defendant’s lawful possession if the force that the defendant uses reasonably appears to be necessary to prevent or terminate an unlawful intrusion onto, or interference with, that property. See People v. Payne, 8 Cal. 341 (1857)."

 

I would expect that you would need to be prepared to defend your (your company's) actions as "reasonably necessary."  However, you need to do a risk analysis with your legal team before any such actions as there is an element of uncertainty when applying new technologies anyway and then you always have your baseline uncertainty about what might be considered "reasonable" at trial.

 

Should we have a "code of ethics" established for such actions? Absolutely.  Until we can agree, as a profession, there's nothing we can point to as a reasonable standard in court.  The primary thing judges like to see in a "reasonability test" is what a plurality of industry professionals agree is reasonable.

nathanielsoo
Newcomer I

Scambaiting is getting pretty popular and there are several online personalities who have gained significant followings via their Youtube channels.

 

Lawful? Questionable.

 

https://scambusters.org/revenge.html

Edwin_CybSecGuy
Newcomer I

Using "offensive" techniques to do something such as red teaming your org is completely different from "offensive" actions at a nation-state level. We SHOULD/MUST NOT mix/blur the two.

 

Right now, the Russians ("allegedly") are in the middle of conducting offensive cyber/information operations against the Ukraine to support their physical operations vis-à-vis their larger plan of potentially invading the Ukraine. The activities in which they are engaged are offensive. Those same activities can,  but should not, be compared to Microsoft or any other company engaging in legal take-downs. These are two completely different types of offensive actions.

 

N.Koreans hacking to steal crypto to collect monies in an effort to avoid international sanctions and gain access to hard currency is not in the same league as Israeli firm, NSO Group, developing and selling powerful, nation-state level, hacking and surveillance software, but given their background, NSO has NO LEGITMATE REASON to be operating as an international business. There is nothing "responsible" in the selling of their software on a global basis. Yet, in this case, the two groups of actors run at the same level and are playing on the same field.

 

We will likely never be able to put the digital "offensive" genie back in it's bottle, but just because nations engage in such activities against each other does not mean that businesses and non-governmental actors should attempt to engage in these actions.

Caute_cautim
Community Champion

Hi @Edwin_CybSecGuy   I very thoughtful set of comments.  I agree, however this is fast becoming the normal behaviour as we are witnessing on the world stage at the present time.

 

However, given there are humans on the end of the keyboard, whether they are proxies being paid by the host nation or not, they are making deliberate decisions whilst directed from the responsible regime, we cannot name or pin point at the present time.   It does point to a behaviour, in terms of bashing down the defensive protection i.e. critical infrastructure or cause financial mayhem prior to an attack taking place. 

 

The most ethical and responsible nations must take a more positive stance, because in the not to far future, these attacks may be automatically directed by "Remote Processing Analytics" or RPA or even by Augmented Intelligence acting upon decisions based on risks controlled by remote entities.  

 

So the call for appropriate morals, and ethics are certainly very important right now whether it is human directed and guided or automated and orchestrated due to AI.  We certainly need to think very carefully what changes need to be put in place, to reduce the likelihood of these actions becoming WWIII rather than a carefully controlled Nuclear war.  

 

What are other people's thoughts on this current situation?  Are we prepared to deal with the fall out?

 

What would you feel or say if your own son's and daughters were drafted into a useless and senseless conflict directed by humans or by machines influenced by bad ethics and programming?

 

Regards

 

Caute_Cautim

Beads
Advocate I

How do you address espionage, 'cyber', physical, network or database given that any and all are universally considered illegal when conducted against the victim? This is very much a 'you cannot have your cake and eat it too' type of argument.

 

I would also point to the Department of Justice's recent formal guidance on security research and its implications under the CFAA. https://techcrunch.com/2022/05/19/justice-department-good-fatih-hackers-cfaa/ Had this been published a decade ago we would still have a notable few who succumbed to suicide rather than face the DoJ's wraith.

 

Its more complicated than simply saying the equivalent of 'Just say no (to drugs)!'

 

Good luck with that!

 

- B/Eads

Caute_cautim
Community Champion

@ArnoldA   Thank you for the statement.  Unfortunately many attempt successfully to bypass these definitions by citing altruistic terms and associated meanings and the world just looks on without teeth.

 

Regards

 

Caute_Cautim