To hack back or not to hack back?

Many centuries ago, explorers came to the vast land of North America. Shipload upon shipload of dreamers, explorers, businessmen and farmers entered the harbors and spread out throughout the country. They all dreamed of a better life – however they defined it.

As population in the West gradually grew, the need for stability and peace did too. In the very beginning, a gun and the principle of “an eye for an eye” allowed the survival of the best gun-hand, often at the detriment of many a young farmer with lesser gun-slinging skills. This self-regulation has been referred to as the Code of the West.

But after a time it became evident that shoot-outs in the streets were counterproductive to stability, peace and predictability. The principle of self-protection had to give way to another principle.

Thus the law came to the West, and replaced the Code. Individuals gave up (or were forced to give up) their right to pursue justice individually, and handed the task of prosecuting, judging and possibly executing criminals over to the government.

A new resource

If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. You build fences to keep your cattle in, and the horse thieves out. You train your cowboys to ride and shoot well, and to recognize newcomers for what they are. And you accept the fact that your government is the one that will pursue and prosecute the thief that stole one or more of your horses.

The challenge arises when you (possibly rightfully so) perceive that your government is not able to deal with the horse thief. In the Wild West, you would have your cowboys string him up and hang him.

In cyberspace, you demand to be allowed to “hack back”. You want your government to delegate the legal persecution, judging and execution to you, because (you claim) you know the situation better.

You may find yourself saying something along the lines of: “Our cyberjockeys are highly skilled, quick to shoot and fully capable of taking down any trespassing hacker. I must have the right to defend myself, and attack is the best defense. Because, my dear government, if I do nothing, it will only be a matter of time before they enter my premises and run me over.”

From your narrow and personal perspective, this kind of reasoning may make sense at first glance. This is the same kind of reasoning that feeds blood feuds through the principle of “an eye for an eye” — “if you kill someone in my family, I will kill someone in yours. Innocent or not, I will shoot.” And so it goes until both families are no more.

Without an overarching governing body, instability, violence and uncertainty become the rule of thumb. It’s obvious that larger groups of humans who need to interact, interconnect and work together need a governing body to sort out disputes and acts of criminality.

A legal system is here to help each one of us, but we have to accept that it may not be perfect, and that it may take some time to adjust it to the cyber domain.

Gut response or intellectual reflection?

A gut response to direct threat is retaliation (or you may choose to run and hide). Consider that we are all part of a global community these days. It is not only you and that horse thief anymore. It is you, your employees, your country, your country´s trade partners, and so forth. In cyberspace, you cannot act like a rogue player who does whatever comes to his or her mind. Your playground is no longer your own backyard where you can argue “self defense” and get away with it.

The implications of hacking back are much larger than you and your organization. What you think of as a simple retaliation operation may quickly evolve into a geopolitical situation with multilateral impact.

It is one thing to shoot a horse thief, and it is a very different thing to accidentally trigger a nation-state’s war machine. I urge you to take a moment to think things through. Use your intellectual capacity to reflect on what is better – a closed-down world where everyone shoots at each other, or a world where we all abide to the same laws made out to build global stability, peace and predictability?

Patience, my friend

Yes, the current laws and legal systems are a major challenge to cybersecurity. History has shown us that allowing every man his own justice system simple does not scale well. We do not need a granulated “hack back” retaliation regime.

We must focus our efforts on making an international cyber governing body that will decide the laws and that will have the authority to pursue and make justice across national and regional borders. Personally, I would not mind hearing a prosecutor say: “The World versus Hector Hacker.”

We need a new system, and that system must be larger than each individual, organization and nation-state. Obviously, the creation and implementation of such a multilateral governing body will take time and effort. While we are waiting, we can help by pushing our governments in the right direction. Open dialogue, building trust and sharing information are important building blocks. Respecting differences, and seeking to learn how to overcome them is vital.

Private organizations may help by setting up and funding think-tanks, inviting both public and educational sectors to discuss alternative courses of action. Nation-states can help by using existing governing bodies like WHO, UN and Interpol to create a new, global cybersecurity unit, and enter into agreements that enable it to govern the sector on a global perspective.

Every single one of us can look beyond mere self-interest, and look for common ground where workable, realistic solutions can grow and operate. And have the patience to allow for this process to evolve and grow, just like it happened when the Code of the West was replaced by law.

Don't miss