Is White Hat "Hacking" Illegal?
Mark Lachniet publishes an excellent paper titled “Hostile Forensics.” He argues that sometimes digital forensics investigators have reason to take actions that are legally and ethically provocative. He calls these actions “hostile forensics.”
Mark frames the topic: “Due to
recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or ‘hacking’ techniques in order to obtain forensic evidence, a process here referred to as ‘Hostile Forensics.’”
Mark distinguishes “hostile forensics” from traditional forensics. Here is an example of traditional forensics: An investigator analyzes data on a hard drive, with formal authorization from the owner of the drive. The investigator has consent from the person who put the data on the drive. The drive is in the physical possession of the investigator.
Here is an example of “hostile forensics,” as I interpret the idea: A publicly-accountable investigator, with justification, remotely interacts with a marveloustly complex cloud of computers, while having something less than formal authority from each owner of each computer. One or more of the computers is in part controlled (or influenced) by a suspicious-acting adversary of the investigator. The investigator’s purpose is to gather evidence that incriminates the adversary.
Mark offers numerous intelligent steps to help cause a “hostile forensics” investigation to fall on the side of good and not evil. He suggests, for instance, that the investigation be subject to detailed recordkeeping and tight supervision over individual investigators.
Hacking Back?
An idea related to “hostile forensics” is a style of computer secuurity that my fellow SANS Instructor John Strand calls “offensive countermeaures.” Sometimes John uses the term “hacking back.”
The range of actions that might qualify as "hostile forensics" or "offensive countermeasures" is huge, limited only by imagination. It includes much more than just the examples that Mark and John articulate.
Illegal?
Do “hostile forensics” or “offensive countermeasures” constitute computer crime? This is an exotic jungle of law, thick with nuance. Much of the law is open for interpretation. Simplistic interpretations of the law here are of little help.
In this field there's a lot of dubious folklore (e.g., "action X is always legal; action Y is always illegal").
In truth, the legality of any given action can be highly dependent on the facts of the particular case. Change the facts slightly from one case to the next, and the conclusion whether an action is legal can change.
Two Observations
I have two big picture observations. Neither of these observations is criticism of Mark or John, and neither of them passes judgment on any particular action.
1. Words Matter. When law and ethics are nuanced, the words we choose carry immense weight. The descriptions of an action can influence the understanding and treatment of the action. Subtlies are important.
(a) Choose Adjectives Carefully
I am reluctant to use the adjectives “hostile” or “offensive” to describe what Mark and John have in mind. Those adjectives carry emotional charges; those adjectives can be interpreted as negative. But Mark and John are talking about actions that are positive and not negative . . . good and not evil . . . legal and not illegal.
Therefore, under a given set of facts, an adjective like “justified,” “responsible” or “proportionate” might better describe an action.
(b) Choose Verbs Carefully
Well-meaning IT folks can be quick to use words like "penetrate" or "hack" or "strike-back" without carefully examining the definition of those words and without considering alternative words. Instead of the verbs "to penetrate" or "to hack," the more accurate verbs to describe an action may be "to confuse," "to tease," "to elicit" or "to regale." Example: "We regaled the adversary bots with a multitude of honeypots."
Alternatively, a more accurate description might be metaphorical. A security or investigative action might best be described as, say, “to depict a clever digital costume.” The reasons for this description might be that:
- the action induces a suspicious person to believe something he did not expect and persuades him to reform his behavior or reveal evidence about himself; and/or
- the action induces a malicious community of software, like a botnet, to perceive a new situation and persuades the community to reform its behavior or reveal evidence about itself.
2. Court Support. Mark mentions the idea of getting court approval, such as a search warrant, for “hostile” action by law enforcement. Good idea. Typically such approval would come after a government agent, such as prosecutor, requests the approval.
An alternative type of court approval might come from a civil lawsuit brought by a private party such as a corporation. Microsoft is a pioneer in bringing civil lawsuits against cyber adversaries, such as bot herders and spammers. Microsoft has gotten court approval for assertive actions against adversaries. A civil lawsuit might be brought in either state court or federal court.
What do you think?
–By Benjamin Wright
Wright teaches the law of data security and investigations at the SANS Institute.