In the interests of maintaining a civil society, it is time to establish protocol around the threats posed by hackers and how victims may retaliate. Once restricted to desktop computers, the culture of hacking today affects a wide variety of computing devices embedded in valuable assets and deadly equipment, including weapon systems, cars and homes.
We are weaving digital technology into the fabric of our lives with such sophistication, intricacy, and speed that few understand how to guide and regulate hacking, especially when it is carried out ostensibly for the public good.
Consider a few news stories: Late last month, the captain of a yacht in the Mediterranean Sea lost control of his ship, as a GPS “spoofing” device remotely directed it off course. Days later, at the DEF CON Hacking Conference in Las Vegas, hackers demonstrated how a Toyota Prius and a Ford Escape could be sabotaged by malicious code. Similarly, other experts showed how to penetrate an operating system designed for home security devices.
These curious happenings were all the work of “white-hat actors” — cybersecurity specialists seeking to call attention to vulnerabilities in technology; such specialists generally have permission to hack or sabotage the targeted equipment or systems, presumably so a remedy can be found. Hacks like these are reasonable exercises in that the targets are expecting them.
What is worrisome is when so-called “white hat” actors, acting independently or on behalf of organizations, or “black hat” actors perpetuate a hack without permission. We have not yet established protocols governing such behavior. Furthermore, it is hardly clear how hacking targets may retaliate when their physical safety or assets are at risk. Reining in such behavior through policy, law and education becomes even more imperative as hacking moves beyond desktop computers.
The average person wouldn’t voluntarily test the physical security of a neighbor’s house, then report to the neighbor and the public how the home can be broken into. We know this would be a crime, and the homeowner, if present, would have every right to retaliate. No responsible person would encourage such behavior.
Yet hacking has become respectable. Universities, foundations and even government agencies encourage it. At the annual Black Hat USA conference in Las Vegas earlier this summer, Gen. Keith B. Alexander, director of the National Security Agency, defended NSA’s surveillance programs and even had the audacity to plead for help from the hacking community to make its programs even better.
Given that the legality of the NSA’s surveillance programs is questionable, it is disturbing to see the general attempt to make nice with hackers and request their assistance. Such statements likely have the effect of inviting more inappropriate behavior that further confuses the difference between malevolent and benign actors in cyberspace.
What the NSA’s appearance at Black Hat makes clear is that ours is a culture that has sanctioned a notion that is fundamental to the work of hackers: the belief that vulnerability legitimizes attacks. Even if you haven’t given me permission, I can crack your code simply to make the point that you are vulnerable.
The ethical hack has long been a useful tool for good reason. But in the darkness of cyberspace, distinguishing a white hat actor who has not obtained the target’s prior permission and is hacking for the “public good” from a black hat isn’t easy. Now that targets include not just computers but lethal machinery, it is time to consider policies that will establish protocol on this front not just for the actors, but also unsuspecting targets. Politicians, industry trade groups and educators need to work toward providing organizations and individuals guidance on how to hack and how to respond to hacks.
Conventionally, retaliation against hacks has taken the form of a digital response of some sort. But when hackers target deadly machinery, retaliating digitally may not suffice. When, for instance, is it OK to retaliate and what form of retaliation is acceptable? At what point should a target take aggressive action against whoever s/he believes is sabotaging a given device leading to potential death?
In the realm of cyberdefense, experts are still grappling with the challenge of identifying attackers, establishing the level of response and determining how to respond in a timely, appropriate manner. These are vexing questions. We need to work toward finding answers before the Wild West hacking mentality claims unintended victims.
William A. McComas, a partner at Shapiro Sher Guinot & Sandler, practices technology and corporate law. He can be reached at email@example.com.