A cyberattack is usually seen as a crime—or even an act of war. But when considering the ethics of how to respond to major security breaches, it might be more useful to think of cybersecurity in terms of zombie warfare.
Cyberattacks are a plague upon the internet. We attempt to immunize ourselves against viruses and other malware. A botnet (a network of computers infected with malware) and other self-proliferating attacks can even resemble infectious diseases, turning unsuspecting computers into “zombies” that swarm against a target. The question is what we should do in the event of a zombie attack—barricade ourselves indoors, or go outside and battle the undead by hacking back?
First, a little background: What exactly is hacking back? If your computer or your company’s information systems are hacked, you may be tempted to respond with some hacking of your own. This can take many forms, some more problematic than others. For example, you could install spyware on the attacking computer, maybe activating its webcam, to collect information and identify the perpetrator. You could even break into the attacking computer to delete or retrieve stolen data. You could also set a trap by embedding your sensitive data with malicious code that locks down a cyber-thief’s computer, as ransomware does, making it unusable.
Some critics have argued that we should not hack back. In a pandemic, they suggest, we ought to secure our own homes instead of battling the infected outside. The worry is that hacking back might erode the rule of law: It’s the government’s job to protect us, and taking the law into our own hands could lead to chaos.
But in a zombie scenario, there’s not much protection or law and order to begin with. Indeed, law enforcement often can’t do much to prevent or prosecute cyberattacks. So despite the potential for personal risk, we may have to pitch in to help ourselves and others.
In fighting the cyber-zombie apocalypse, we don’t necessarily need to do anything as theatrical as sever the heads of our attackers. Our response to a breach can be as simple and nonaggressive as pushing security patches onto infected computers, such as uninstalling malware that had opened the door for the initial attack. This is similar to forcible treating or quarantining patients diagnosed with a deadly virus to prevent the spread of contagion.
Hopefully, our security patches and other countermeasures won’t end up damaging the hijacked computers of innocent owners. No one likes putting down a hapless zombie, especially one you had known. But it’s debatable whether real harm will have been done. Compromised machines shouldn’t be used anymore anyway, and untreated machines are the reason why infections rage on.
Extending the metaphor, everyone also has a responsibility to keep up with malware inoculations, to avoid suspicious links and so on, so as not to get bitten by a zombie and spread the virus to others. If someone fails to take precautions, they are at least partly to blame for their fate.
But while we ought to take all reasonable steps to avoid the zombies, no security is perfect. Sometimes the evil dead can slip inside your house. If they do, they ought to be dealt with quickly, especially if no one is coming to your rescue.
All this suggests another analogy: Computers—or the internet itself—as dual-use weapons. This is already implied when we think of cyberattacks as criminal or military aggression, and even in the zombie-apocalypse metaphor. Misuse and irresponsible use of computers are the threat, with some pundits believing that the “internet, whatever its many virtues, is also a weapon of mass destruction.”
The current lack of respect for the power and vulnerabilities of our computing devices has helped create the debate over hacking back and other security issues. To be fair, the internet wasn’t designed for security when it was created decades ago, but only for a small group of researchers who trusted one another. That circle of trust has long been breached. We now need more vigilant and prepared users to help prevent cyberattacks from landing in the first place, making moot the decision to hack back.
Therefore, to truly address cybersecurity, we may need to seriously consider requiring computer users to have special training and licensing, or at the very least to keep up with basic hygiene requirements. Firearms and automobiles also have a high potential for misuse, so they require proper training and licensing. The US Federal Aviation Administration just required aerial drones to be registered, similarly recognizing that drone operation can be both recreational and dangerous.
Perhaps this solution is too radical to work. A new report on the ethics of hacking back, released today (Sept. 26) by the Ethics + Emerging Sciences Group based at Cal Poly, explores other possibilities. But a radical change of perspective may be what’s needed to solve such a relentless problem, and the right metaphor may be able to inspire that paradigm shift.