The Risks of a “Hack Back” World … Cyberware!

The first lesson in Cybersecurity must be “Law and Ethics”.

Basically …

“Don’t do bad things to people”,

“Report crime when it happens”,

“Don’t disclose private information”,

“Don’t exceed the limits of your authority, without permission”,

“If something is a criminal activity, let law enforcement deal with it, and don’t automatically imply guilt … someone is not-guilty until proven by a court”,

and so on.

But now a bill is being submitted to the US Congress and which wants to create scope for a “hack back” (Active Cyber Defense Bill), and where if you are attacked, you can hack back. I think it perhaps shows a naivety from politicians in both defining what a hack is, and the criminal activity and ethics of “hacking back”. It’s a bit like goading someone in the street, and then getting them to push you, and where you end up assaulting them. In the networking space, even a simple ping can be seen as malicious. Existing laws, such as the Computer Fraud and Abuse Act (CFAA), do not support the hack back method.

Section 3 of the Active Cyber Defense Bill defines the concept of a beacons and where a hacker would copy code which had a tracker in it, and where the code to…