Pressing Questions of the Information Age:7 Feb 2005
The Ethics of Hacking Back at Hackers
Kenneth Himma
Associate professor of philosophy
Seattle Pacific University
The frequency of digital attacks and intrusions directed at private commercial interests has been steadily increasing over the years as the number of people with the appropriate motivations and technical skills continues to grow. In response, many private firms have begun to take matters into their own hands, responding to digital attacks with measures that have been characterized as "hacking back" or "active defense." In some cases, these measures are no less aggressive than the hacker attacks to which they are intended to respond. In this talk, Professor Himma will address the issue of whether it is morally permissible under widely-accepted ethical principles for private entities to respond to digital attacks and intrusions by "hacking back" at digital attackers.
Rapporteur's report
On February 7, Kenneth Himma, associate professor of philosophy at Seattle Pacific University, spoke to 20 students and faculty from departments including Philosophy, Communication, Computer Science, Law and the Information School on the ethics of active defense, whether is it acceptable morally for private entities such as businesses, to respond in kind when they are attacked by hackers.
Himma first defined what is meant by the term "active response." Quite simply, it characterizes acts that would be classified as hacking-gaining unauthorized access to a computer file or network-if they were unprovoked. He then classified responses into three types. First: benign responses, which have no direct causal effects on remote system and are not born of an uncooperative attitude or posture-examples include sniffing, scanning and honeypots. Second: intermediate responses: those which have a causal effect on a remote system but are not intended to cause harm-for example, tracing attack paths in reverse through remote systems. Finally: Aggressive activities or those likely to interfere with the availability, integrity or confidentiality of remote systems, including those that are likely to result in damage. Examples here include corrupting data or disabling services on remote systems and denial-of-service counter-attacks.
To evaluate whether these responses to an attack are ethical, Himma first described three sets of ethical principles that might suggest some forms of active defense are ethical. Defense principles allow proportional force to defend yourself or others from attack. Necessity principles hold that an otherwise wrongful force is legitimate if it is necessary to use it in pursuit of a significantly greater moral good. Punitive principles allow proportional force to punish wrong-doing.
Himma then briefly considered ethical principles that suggest that active defense is not ethical. The immunity principle states that it is acceptable to infringe on another's rights only when that person has done something to justify infringing on them. The application of this ethical principle is complicated by the "innocent threat" problem: Is a person culpable if her computer was compromised without her knowledge and turned into a spam-sending zombie? A second relevant principle that weighs against hacking back is the evidentiary principle which says it is not permissible to act under an ethical principle unless one has adequate reason to think its application conditions will be satisfied.
From here, Himma concluded that aggressive responses are not ethically justifiable under the defense principle if they are motivated by a desire to retaliate and are not merely a defense against attack. Further, when you can't ensure there will be no harm to innocent parties, aggressive responses are ruled out by the evidentiary principle and can't be justified under the necessity principle. Intermediate responses are not justifiable under defense principles because they are primarily concerned with gathering information and not with defending against an attack. It's hard to justify intermediate responses under the necessity principles because it is difficult to estimate the probability of success. Evidentiary principles would disallow invasive intermediate responses unless the victim has special information. Finally, Himma argued that benign responses are probably ethically permissible if they do not cause significant third-party effects and do not invade property or privacy rights.
A final thought: Himma reflected on the inadequacy of law enforcement in handling hacking attacks and mused that because of this inadequacy, there may be an argument for active response if: 1) hacking is resulting in significant harm of the kind the state ought to protect against and 2) the state's protective measures are inadequate.
One question for Himma raised the issue of whether it would be ethically permissible to hack an entity that supports what might be considered a morally questionable enterprise: the case the questioner raised was hacking Fox News' website because of material there that supports the war in Iraq. Himma suggested the question here really is: Is it morally permissible for an individual to break the law if he disagrees with it on moral grounds. He answered that he doesn't find the act of breaking the law morally suspect necessarily but he considers the cost imposed on innocent parties by law-breakers to be a problem (for example, protesters marching on a freeway, and costing my time as I sit waiting for them to leave.)
Another attendee made the point that if someone accesses your computer illegally it is very difficult to even know that this happened and you might suffer harm-loss of privacy, identity theft-without even necessarily realizing it. How would you even know to respond if you didn't know you had been attacked?
Recommended Readings
"Targeting the Innocent: Active Defense and the Moral Immunity of Innocent Persons from Aggression," Journal of Information, Communication, and Ethics in Society , vol. 2, no. 1 (January 2004)
"The Ethics of Tracing Hacker Attacks through the Machines of Innocent Persons," International Journal of Information Ethics , vol. 1, no. 2 (2004) [Special Issue featuring the Proceedings of the First Congress of the International Center for Information Ethics (ICIE)]; available online at http://container.zkm.de/ijie/ijie/no002/ijie_002_15_himma.pdf |
