AISA 2017 - Should industry be allowed to engage in "active defence"
- 12 October, 2017 14:20
During the ASIA 2017 Annual Conference, a panel discussion hosted by Mike Burgess, looked into the question of whether active defence - hacking the hackers - is ethical. The panel consisted of cybersecurity advisor and lawyer Rachael Falk, Helaine Leggat from Information Legal and Glenn Welby from Cisco.
Burgess started the panel by discussing what active defence is. He said it starts with hacking back to damage systems. It might mean the use of deception to capture someone, or using honeypots. But the spectrum of what "active defence" means is very broad. Some actions, he said, may well fall outside the law. He also added many companies in the ASX 100 are looking at active defence as a part of their security strategy. Although the nature of what active defence means to those companies is quite diverse.
Leggat said she works with different type of active defence. She says the bar for entry for this action should only be after you have taken all other precautions such as aggressively patching and protecting systems. But the defensive measures should end at your boundaries. For example, internal honeypots are OK.
What sort of defence is reasonable will depend on where you are in the attack cycle said Leggat. The appropriate response will depend on whether the response is illicited before, during or after an attack. Self defence, as defined in existing law, could be applied to cyber-crime.
Falk said that while real world laws apply, there are different issues when it comes to cybercrime. For example, physical crimes leave tangible evidence, video footage and other artefacts. But cybercrime makes attribution is a challenge and nation-states can execute very sophisticated attacks that can be very hard to detect and follow back.
The tradecraft of online criminals makes it very difficult to know who the attackers are, making active defence very challenging.
Welby said the problem is not technology but human behaviour. He said we need to look for real-world analogies. For example, we can't assault an alleged pick-pocket. Similar rules apply with cyber-crime. And we need to think carefully about the challenges of attribution.
Leggat said some international norms are needed. And they need to be cognisant of what the potential problems are before they become acute issues. But companies need to think about the risks and laws. Falk noted that how far that defence against a cyber-attack goes is a tricky question. She added that you can't break laws in order to actively defend against attackers.
Going out and attacking, or actively defending, Welby said, sounds like "starting a war" or entering the "Wild West".
The lines of what is legal is challenging. For example, it may be possible to embed offensive capability into data so if it is stolen it can either be tracked or it executes within the hacker's system and takes them down. However, this "gift with purchase" approach is illegal in Australia.
Ultimately, the panel brought a diverse set of views. The challenge of defining active defence was noted. Even intelligence gathering bu private companies and individuals might be illegal under Australian law. But the reality is law enforcement is still paying catch up and the laws aren't clear.
