When should unauthorized computer access be authorized?
Recently, the decentralized hacktivist collective, Anonymous, launched an attack campaign called Operation KKK (#OpKKK), targeting the racist hate group called the Klu Klux Klan.
Though the details aren’t that important to this article, here’s basically what happened:
- The KKK distributed a racist and somewhat threatening flier around Saint Louis County about the Michael Brown shooting.
- Members of the anonymous collective disliked the flier so much they launched a digital attack campaign against the KKK on Twitter.
- After some Twitter posturing between both groups, Anonymous hijacked two KKK Twitter accounts, gained access to KKK email accounts, successfully DDoSed numerous KKK sites, and “doxed” (shared private info of) alleged KKK members.
Most rational and ethical people dislike the KKK very much and won’t shed a tear for the KKK’s misfortune. Yet, hacking Twitter accounts and DDoSing websites is clearly illegal. So this incident begs the question, “When, if ever, is unauthorized computer access justified?”
In the US, the Computer Fraud and Abuse Act (CFAA) is the primary law preventing attackers from breaking into your computer. Though lawyers might call this an oversimplification, the CFAA essentially says any unauthorized access to someone else’s computer system is illegal; and this includes spreading malware, launching DDoS attacks, and trafficking stolen passwords. Other countries have similar laws, such as the UK’s Computer Misuse Act.
Most would agree that these types of computer protection laws are good and necessary. Computers, and the Internet as a whole, are great boons to humanity. We use them to do a lot more than just updating our Instagram and watching funny cat videos. They help us pay our bills, calculate tough equations, and store our personal and confidential information. At the highest level, they even help us create, connect with others, and educate the world. Unauthorized parties have no right to illicitly access our computer systems, steal our digital information, or prevent our digital communications. We need laws to protect our computers and online accounts.
However, should everyone get equal protection?
You’d think the answer to that question was obvious, but the public’s reaction to #OpKKK suggests otherwise. In short, most people reacted positively to Anonymous’ hack. In fact, some op-ed pieces supported the campaign, saying the attack was justified.
This concerns me. Though I too dislike the KKK, and I can’t help but admit my first reaction to this hack was to grin wickedly, I don’t condone the criminal activity of taking over someone else’s account. Deciding that one network attack is justified because you don’t like the particular victim is a slippery slope that leads to network anarchy.
Like our right to freedom of speech, laws like the CFAA don’t work effectively unless they apply equally to everyone. If we expect laws to protect our computers from being hijacked, we can’t endorse hacktivist collectives for breaking those laws, even when they are hacking an organization we hate.
However, this concept doesn’t just apply to #OpKKK and Anonymous. Unfortunately, there are other entities that seem to be stretching our computer misuse laws and gaining unauthorized access to computers for our supposed good. Those entities are nation-states.
Over the past few years, we’ve learned of repeated incidents where alleged government entities have used cyber attacks for their own gain. Advanced malware leaks like Stuxnet and the recent Regin show that nation-states have designed and launched sophisticated trojans to gain “unauthorized access” to targets for espionage. The Snowden leaks show that governments are finding as many ways as possible to surveil Internet traffic, and can intercept a particular user’s traffic to inject attacks that hijack the user’s computer. The NSA even has a group called Tailor Access Operations (TAO), whose entire purpose is to gain “unauthorized access” to a target’s computer. Some experts even claim the FBI hacked a server without a warrant in order to take down the Silk Road (though the FBI denies this).
These nation-state incidents will likely continue to accelerate, with the US allocating $5B for military cyber spending in 2015 (a 500% increase from last year). On top of that, the FBI is actively trying to weaken the encryption of products we all use to retain easy surveillance options. If you support the #OpKKK attacks and “unauthorized access,” do you also support nation-states launching similar attacks?
The world is not black and white. In my mind, the Twitter hacks of #OpKKK were illegal and wrong, even if the victim is despicable. However, the cyber operations of governments are a gray area. Most would agree that unwarranted, mass surveillance and computer hijacking is wrong (and the US’s Fourth Amendment supports that). However, it’s naive to think that authorities shouldn’t have some sort of elevated “cyber policing” capability on a case-by-case basis. Most governments allow law enforcement to wiretap phone lines, on an individual basis, after showing probable cause of criminal activity to a local judge and getting a warrant (not from a secret court). To catch modern cyber criminals, authorities do need some sort of extended “cyber” capabilities, and perhaps exceptions to laws that affect private citizens. But how much power should we give them? When exactly should we authorize unauthorized computer access?
I don’t have answers to these questions, only more questions and opinions of my own. However, I do know that we, the security professionals of the world, need to have this discussion with our governments-¦ in the open. Breaking into someone else’s computer should be illegal, but there might sometimes be good reasons to make exceptions to that rule. In those cases, nations need to openly and publicly make decisions together with their constituency and experts in the field, so that we all understand what is right and wrong in the eyes of Internet and computer surveillance law. Otherwise, the Internet will revert back to a digital wild west, and the laws designed to protect the innocent will have no teeth.