Debating the Active Response Continuum: Defining the Terms of the Debate
28 May 2013 David Dittrich active-defense active-response-continuum aggressive-network-defense hack-back
[This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project.]
At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, “the kinds of actions that infosec professionals are allowed to take against attackers.” I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005! (AusCERT invited me to speak on an emerging topic and I chose to speak for the first time publicly at AusCERT 2005 about the Active Response Continuum research I had been doing with funding from Cisco.) As one of the world’s foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate. :)
What follows is adapted from the forthcoming book, “The Active Response Continuum: Ethical and Legal Issues
of Aggressive Computer Network Defense,” by David Dittrich. I welcome any comments, suggested modifications and/or additions.
There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems. This has been called active defense, aggressive [network] self-defense, counter-attack, and even hacking back. Regardless of the reasons why someone would want to take such actions, it is necessary to discuss the options, acknowledge the risk and benefit tradeoffs, and identify how aggressive actions can be taken in a manner that is safe, controlled, and justifiable (as best this can be accomplished). This cannot be accomplished, however, if everyone comes at the subject with their own individual frame of reference and language. (This was pointed out by more than one person at this year’s Suits & Spooks DC 2013 conference.)
Defining the Terms of the Debate
The discussion of what is or is not ethical, or legal, in aggressive responses to computer network attack is perhaps made most difficult due to disagreements about semantics. The first paragraph in this chapter used four of the most common terms, each of which can be interpreted by two different people as having diametrically opposed meanings.
To have meaningful discussion of such complex and potentially harmful activities, it is helpful to start with clear definitions of terms and to use them consistently – or at least clearly define the way they will be used if and when a speaker holds a different definition in their mind – in order to avoid needless debate, or worse, to mislead the listener into going along with a decision they otherwise would not take.
These terms, derived with input from some of the voices of reason in the computer security field (Thanks to Aiden Riley Eller, Rik Farrow, Dan Farmer, Dan Geer, David Kane-Parry, John McDonald, Ryan Permeh, and Frank Rieger, for their feedback), are presented in alphabetical order and cross-reference each other as appropriate.