Identity theft, viruses, spam, spyware, and other online insults routinely make the news, and many of us feel overwhelmed.
Readers of newsletters such as this one typically regard markets and private action, not regulatory mandates, as best equipped to counter online security breaches as well as cope with other challenges created by the digitization of information, such as instances of copyright infringement. That said, it’s worth pausing to consider an extreme implementation of self-help: the question of attacking the attackers ourselves.
Given many Internet users’ preference that governments maintain a “hands off” posture, there is a well-founded basis for the natural tendency to want to solve one’s own problems and “hack back” at identity thieves and their ilk. So it’s appropriate to address self-help in light of what it means for cybersecurity and protection of digital content. Is it a plus or a minus?
Sometimes self-help is plainly outrageous: In a notorious case of “spam rage,” one man so fed up with “male enlargement” ads threatened to torture and kill the spammers. A vastly more measured and sensible campaign was Microsoft’s establishment of a $5 million Anti-Virus Reward Program, which offered $250,000 bounties for information leading to conviction of the creators of the SoBig and MSBlast viruses.
The openness of the Internet complicates what might seem straightforward security policing. Some self-appointed do-gooders engage in “patriot hacking” (albeit illegally) by targeting Web sites believed to support terrorism. Meanwhile, some organizations that lack political agendas but are still concerned about online break-ins or theft of digital content want freedom to retaliate and interfere with computers of those suspected of wrongdoing. For example, legislation has been sought by the entertainment industry for immunity from prosecution for damage resulting from their “hacking” into peer-to-peer networks, including the Peer-to-Peer Piracy Prevention Act, sponsored by Rep. Howard Berman (D-CA), which did not make it out of committee.
The pain of copyright holders is genuine, and their plight over non-compensation does arise from the unforeseen ease of sharing allowed by the Internet. However, granting the entertainment (or any) industry a pass to police our personal computers and future Internet devices cuts against broader cybersecurity goals. Private property owners have the right to defend their possessions, but they do not have a right to take damaging offensive action.
Some self-help remedies available to content creators do seem more benign than others. If copyright owners are simply loading up their own computer servers with harmless dummy files posing as copyrighted pop songs, no one has cause to complain when accessing those instead of a real file: There’s no entitlement to another’s copyrighted music.
Several controversial self-help methods have arisen to combat spam. Some proposals would employ special email filters capable of engaging in automatic denial-of-service-style attacks against spammers’ Web sites to raise their bandwidth costs. However, many spammers hide themselves by signing up for free Web services, meaning legitimate users of the services would be affected by the retaliatory action, too. Moreover, pranksters can target legitimate companies by sending bulk emails pretending to be from those targets.
“Trojan” software also makes self-help security operations dangerous. Where viruses commandeer vulnerable computers and use them to launch spam or further viral penetration, often the owners of those computers have no idea that their machines are being exploited. If an innocent individual’s computer is sending out spam without that individual’s knowledge, he or she is not the proper target of the “white hat” vigilante.
Despite the downsides of aggressive, well-intended white-hat hacking of others’ computers, hacking that probes weaknesses in one’s own network is widespread and encouraged. The idea of internal white-hat hacking is to continually improve one’s own inspection system and network.
Another alternative to reaching outward to thwart a perpetrator is the setting of “traps” on one’s own turf. Michael Schrage, a senior advisor to the Security Studies program at the Massachusetts Institute of Technology, invokes the importance of proactive “digital decoys” or “honeypots” to fool intruders. Web sites or databases that look real and serve as attractive honeypots help ensure that hackers can never be certain they’re not being tracked as they carry out what they otherwise would think a surreptitious invasion of a computer network.
Given such methods, not to mention nascent innovations like cyber-insurance and cyber-liability, more extreme hacking authorization need not come from government. While record and movie companies and the rest of us can legitimately self-protect in ways that do not impinge upon third parties, an unwarranted green light for hacking can work against broader cybersecurity and intellectual property innovations that will benefit us all.
Wayne Crews ([email protected]) is vice president for policy and director of technology studies and Achim Schmillen ([email protected]) is a research associate at the Competitive Enterprise Institute.