Content uploaded by Brett J. L. Landry
Author content
All content in this area was uploaded by Brett J. L. Landry on Sep 19, 2017
Content may be subject to copyright.
- 1331 -
EXAMINING CYBER COUNTER ATTACKS FROM AN ETHICAL PERSPECTIVE
Brett J. L. Landry
College of Business, University of Dallas
1834 East Northgate Drive
Irving, TX 75062
972-636-8633
blandry@udallas.edu
Dinah Payne
Department of Management, University of New Orleans
2000 Lakeshore Drive
New Orleans, LA 70148
504-280-6961
dmpayne@uno.edu
ABSTRACT
Cyber threats, cyber crimes, and cyber attacks are common events today, affecting governments,
companies and individuals. These attacks come from a variety of sources from individual lone
hackers to sophisticated teams sponsored by governments, companies, and crime organizations.
But should individuals and organizations retaliate and strike back? This paper examines four
counter strike methodologies from a series of ethical perspectives.
INTRODUCTION
Cyber threats, cyber crimes, and cyber attacks are common events today, affecting governments,
companies and individuals. These attacks come from a variety of sources from individual lone
hackers to sophisticated teams sponsored by governments, companies, and crime organizations.
Recently, the question of what should be done by the victims to retaliate against the hackers has
been raised. The retaliation depends on many factors: type of attack, where the attacker is
located, where the victim is located, the laws involved, as well as the technical skills and
resources need to conduct a counter attack. This counter attack notion has been called many
names, such as hacking back, cyber vigilantes, and hacktivism. While the terms vigilantes, hack
backs, and counter attacks have been used in similar contexts, they are different terms and can be
categorized differently based on the engagement in which they occur.
In protecting cyberspace, they are many elements of physical analogies that hold true. First,
physical security is a “must” for logical security to take place. We must have “doors” and
“locks” to secure the cyber asset; otherwise, an attacker can physically take the asset or damage
it. However, the comparisons can be carried further. If an attacker physically breaks into one’s
organization and steals an asset, one can deploy alarms, locked doors, and guards to monitor the
- 1332 -
situation and attempt to stop the theft. In cyberspace, we do the same thing with log monitors,
firewalls, IDPSs, encryption, and strong passwords. When the attacker is in our building, our
security can eliminate or mitigate the threat by slowing him down or stopping him altogether.
We generally cannot go to the physical location where the attacker lives and recover the asset.
Hack back scenarios suggest the person attacked goes after the attackers where they live. This is
due to the nature of the crime: because the attacker is generally outside the organization
perpetrating the crime, we must trace them back to “where they live.” This study examines the
ethical implications of hacking back, rather than the legal issues. Legality differs based on
national law and a determination of where a cybercrime actually takes place; this determination
can be a difficult task. This paper will examine these concepts through the lens of four different
attack and counter attacks scenarios from an ethical perspective.
Codes of Ethics
Payne and Landry (2006) suggest that the IT profession does not have a single comprehensive
code of ethics and that there is no need for a separate code of ethics for Business versus IT. In
examining seven basic concepts of business ethics, the authors categorize them into three sub-
groups. The first group incorporates the topics of consistency, respect for individuals, and
autonomy of all, which falls under the traditional Kantian view of the Golden Rule (Kant, 1964).
The Golden Rule to treat others as one would want to be treated is an interesting viewpoint from
the hacking perspective. This becomes almost a “he said/she said” situation where the victim
retaliates based on the original hacking, at which point, the original hacker “hacks back” again.
This “you hack me, so I hack you and if I hack you then I expect that you will retaliate” could be
supported under a Kantian approach as long as it was universally consistent. The difficulty with
this approach is that not only will most people not hack into others’ systems, it is logical to say
that no one will accept having their cyber systems being hacked into.
The second and third groups incorporate the work of Raiborn and Payne (1990) of justice,
integrity, competence and utility. Using the ideals of ideals of fairness as represented by the
concepts of justice and integrity, we find that, in some instances, the fair result is to accept some
sort of response to illegal, immoral and harmful hacking. If we adopt the assertion from Payne
and Landry (2006) that "(E)quality and fairness are inherent qualities of a just decision making
(p.82)," then that assertion should be applied to the counter attack arena. Again taking the
perspective that harm was done to one, so one will harm back, it could be argued that this is an
ethically acceptable perspective. Integrity includes honesty and sincerity when making
decisions.
The third group of ethical principle that can help achieve a morally justifiable solution to
retaliatory hacking is represented in Raiborn and Payne’s ideals of competence and utility.
Competence dictates that the workforce deploying the counter attack is adequately trained in
such endeavors. Depending on the counter attack methodology, an acceptable level of
competence may or may not be possible. Lastly, utility is the concept that the parties executing
the counter attack will consider the consequences of their actions on all parties: if the
consequences are likely to prevent other damaging hacking instances in the future, then the
concept of utility has been served. Similarly to competence, achievement of utility may or may
not be possible depending on the counter attack methodology.
- 1333 -
The parties involved
For the purpose of this paper, we are going to define three parties: the primary hacker, the victim
and the “leakers.” The primary hacker is the originator of the attack: the attacker. We are not
labeling them as criminals because while their activity may be illegal in the U.S., it very well
might not be in their country and may even be nation sponsored. Additionally, with the
exception of phreakers (phone hackers), the labels for hackers, crackers, script kiddies, lamers,
etc. are not always clearly defined and do not change the ethics of the attacks involved. The
victim or defender is the person that is wronged or feels wronged and is looking to retaliate.
This is an oversimplification of all parties involved, but helps to sets the scope of this paper.
There are also “leakers” carried out by entities such as Wikileaks and Bradley Manning, other
cyber “crimes” include cyberwar attacks by Russia on Bosnia and Georgia, the U.S. and others
from China and most recently attacks on the U.S. from Syria. However, these attacks are not in
response to a cyber attack and are outside the scope of the paper.
CYBER COUNTER ATTACKS
This paper will focus on four types of counter attacks; Honeypots, Trojan Horses, Hack Backs,
and Hacktivism. Each of these differs on how far the victim is willing to go beyond being just
the defender to become an attacker. As a result, the consequences of the hacking can change
dramatically. It is also arguable that the ethics of the actions is also subject to change: from
having done the right thing to having gone beyond the “right” thing to having engaged in
unethical behavior.
Honeypots
Honeypots and honeynets are computers designed to mimic weak or vulnerable systems. They
are deployed as a means to study and learn what hackers are doing on the network and are most
commonly located in a firewalled separate network called a DMZ. A honeypot is generally a
single machine, while a honeynet is a series of computers, switches, and other devices to emulate
an entire network. A honeynet can be a single virtual machine that may emulate hundreds of
other systems. Here, the goal is not to harm the attacker, but to misdirect the hacker into
thinking he/they are hitting production systems. This misdirection can protect the real assets
within a firm and from the three ethical tests, the deployment of honeynets can be supported.
Using the Kantian perspective, it is defensible in that no harm is coming to the attacker: thus, it
would be universally acceptable, it allows for respect of everyone in the cyber environment and
it respects the freedom of all with cyber assets to protect. If the roles were reversed, the victim
here would expect that if they were trespassing in someone else's network that they could be
misdirected to other resources within a honeynet DMZ. Likewise, the test for equality and
fairness, integrity and justice, could be supported as long as the honeynet was deployed honesty,
using enticement and not entrapment. Simply, it is fair to setup a honeynet which an attacker has
to search for and then attack: it is the attacker’s choice to violate someone else’s right and so to
expect some level of retribution. It is unfair to have links on a web site that take unsuspecting
visitors to the honeynet. From a competence perspective, developing honeynets are relatively
simple as long as the defender has adequate firewall and perimeter defense knowledge. For the
- 1334 -
utility test, the defender has to consider all parties affected by this counter attack. Here the
parties involved are limited. There is the firm, the attacker, and possibly users of the system.
We say possibly users of the system because it could be possible that a honeynet usage could
slow down a firm’s overall internet connection speed, especially if the honeynet is the target of a
distributed denial of service attack (DDOS) attack. There could be an issue for the firm if similar
passwords, configurations, or other key information that the attacker could learn could give an
entryway into the productions systems. Lastly, there is the attacker. The attacker will waste
time, resources, and effort on the honeynet believing it is a production environment.
Trojan horses
Trojan horses are programs that claim to do one thing and do something else, like the mythical
wooded horse of Troy. Trojan horses are a common way to trick users to opening programs to
infect machines. In 2013, the Georgian government used it to track and find hackers on their
systems (Kirk, 2012). Technically they did not attack the hackers system. They loaded a file
called Georgian-Nato Agreement as a zip archive on their internal systems. The hacker then
opened the archive on their PC which then enabled his web cam and allowed the defenders
(Georgia) to search his hard drive for about 10 minutes before the connection was severed.
While trojan horses can be considered unethical behavior when they dupe or trick ordinary users
into clicking them, the same cannot be said to apply to the attacker. Clearly, placing trojan
horses on public systems would be wrong; however, the attacker is on a private system for which
they are not authorized. The Kantian analysis would examine this counter attack method and
assume that if someone was in one’s system without permission (authorization), it would be
acceptable for one to track the interloper. So, that element of the Kantian analsys is supported.
The same is also true for equality and fairness. The defender could be sincere in their attack
response which would be supported under the ideal of honesty. Conversely, there are issues with
ability (competence) and utility. Ability would dictate that the firm has skilled resources in
developing trojan horses. That these software programs would execute properly and not have
other consequences must be considered. Utility dictates that the defender would be able to
examine the consequences of their actions. However, in the cyber realm, this may not be really
possible for two reasons. The trojan horse may have unintended consequences due to unforeseen
technical issues and unintended recipients. It is very possible that the defender's trojan horse
could do damage to the attacker system. In the Georgian case, the intent was to open a web
camera and a covert channel to the attackers’ hard drive. What if, instead, it destroyed the
machine instead? The natural assumption is that the recipient of the trojan horse is the attacker,
but it may not be. What if the attacker was at a university on a networked university computer
and executed the trojan horse? Would it send all the university's files to the defender? What if
the attacker saved the file in a place where others could get to it or has hijacked another's
computer? Now, essentially another victim has been portrayed as the attacker. For these
reasons, the creation of trojan horses cannot be supported by the concepts of ability and utility.
Active hacking back
Taking the attack to the next level is the idea of directly attacking the attackers. Entity X
attacked us, so we attacked them. In this scenario, there are very definite issues. The first is that
- 1335 -
just because an attack came from PC1, it does not mean that PC1 is the responsible attacker.
Hundreds of thousands of machines in the U.S. and around the world that are infected are at the
command of hackers in a distributed system called botnets. The botmaster is the actual attacker
and the bots are the tools used. Quite often, it easy to find where the attack came from, but not
who orchestrated the attack. To make things worse, spoofed IP addresses, open WIFI, and
Internet proxy sites give excellent hiding opportunities for attackers making it more difficult to
track.
For this reason the Kantian analysis would not support hacking back. While we could conclude
that if I hack - I should be hacked, the reality is that hacking back involves collateral damage.
Entity X attacks Entity Y and makes it look like entity Z did it, then Y attacks Z for an attack that
they did not initiate. Since this counter attack would be considered unfair, it would not be
supported by the fairness perspective. Hacking back takes incredible sophistication, a talent and
ability that most defenders do not have. Further, there is no way to even begin to understand the
consequences of their actions on all parties. Based upon these factors, hacking back would be
considered unethical across all three ethical categories.
Hacktivism
Hacktivism is the idea of hacking for a particular cause or purpose and not for financial gain.
The purposes may be political, religious, ideological, or just for the fun of it. One of the best
examples of hactivist groups is Anonymous. This group picked targets and convinced others
they were wronged by large companies such as Sony, and HB Gary Federal, churches such as
Westboro Baptist Church and the Church of Scientology, and government agencies around the
world. While the real impact of Anonymous attacks have come from botnets, they have
convinced millions around the world to participate in attacks even when the leaders knew their
participants would be tracked. Our examination of hacktivism here is being limited to counter
attacks as a response and not first strikes as discussed earlier.
Hacktivism is the most severe case of hacking behavior because the defender is a trained
attacker. However, “hacktivists’s” stance, based on the work of Olson (2012), would not be
supported by a Kantian approach. They would feel it is acceptable to hack, but that they would
not want to be hacked. While this approach is unfair and does not approach equality, it is based
upon an elitist attitude. Since hacktivist groups frequently recruit others and tell them their
hacking is untraceable when it is not, it does not support the integrity test. Unlike the defender
conducting basic hacking back with limited experience, the hacktivist is a skilled attacker and
has the tools and resources to carry out the attack. From a utility test, the hacktivist simply does
not care about the consequences of his hacking: it is all about the conquest. Based on this
argument, hacktivism cannot be supported ethically at any level.
- 1336 -
CONCLUSIONS
While much of the conversation on cyber counter attacks has focused on the legal perspective,
this paper has focused on the examination of counter attack methods using previously established
ethical groupings. The findings, summarized in Table 1, show that there are many issues and
consequences to consider when considering a counter attack strategy. Ultimately, it is the
consequences of the methodology used that determines whether it is an ethical approach or not.
Table 1: Comparison of Ethical Principles to Counter Attack Vectors
Ethical Principles Counter Attack Vector
Group Components
Honeypots
Trojan
Horses
Counter
Attacks
Hacktivism
"Golden Rule"
by Kant Consistency, Respect for Individuals,
Autonomy of All Yes Yes No No
Fairness Integrity, Justice Yes Yes No No
Utility Utility, Competence Yes No No No
REFERENCES
Kant, I. (1964). Groundwork of the Metaphysics of Morals (H. J. Paton, Trans.). New York:
Harper and Row, Publishers, Inc.
Kirk, J. (2012, October) Irked by cyberspying, Georgia outs Russia-based hacker -- with photos.
Networkworld. http://www.networkworld.com/news/2012/103012-irked-by-cyberspying-
georgia-outs-263790.html
Olson, P. (2012) We are Anonymous: Inside the Hacker World of Lulzsec, Anonymous, the the
Global Cyber Insurgency.
Payne, D., & Landry, B. J. L. (2006) A uniform code of ethics: Business and IT professional
ethics. Communications of the ACM. 49(11), 81-84.
Raiborn, C. and Payne, D. (1990). Corporate codes of conduct: A collective conscience and
continuum. Journal of Business Ethics, 9(11), 879-889.