Vice or Virtue? Exploring the Dichotomy of an Offensive Security Engineer and Government "Hack Back" Policies

In response to increasing cybersecurity threats, government and private agencies have increasingly hired offensive security experts: "red-hat” hackers. They differ from the better-known “white-hat” hackers in applying the methods of cybercriminals against cybercriminals and counter or preemptively attacking, rather than focusing on defending against attacks. Often considered the vigilantes of the hacker ecosystem, they work under the same rules as would be hackers, attackers, hacktivists, organized cybercriminals, and state-sponsored attackers—which can easily lead them into the unethical practices often associated with such groups. Utilizing the virtue (ethics) theory and cyber attribution, we argue that there exists a dichotomy among offensive security engineers, one that appreciates organizational security practices, but at the same time violates ethics in how to retaliate against a malicious attacker.

[1]  Paula Roberts,et al.  Virtuous Hackers: developing ethical sensitivity in a community of practice , 2002, Australas. J. Inf. Syst..

[2]  Jon R. Lindsay,et al.  North Korea and the Sony hack : exporting instability through cyberspace , 2015 .

[3]  B. Turner Center for a New American Security , 2014 .

[4]  Suzanne K. Damarin,et al.  The second self: Computers and the human spirit , 1985 .

[5]  W. Lynn Defending a New Domain: The Pentagon's Cyberstrategy , 2010 .

[6]  Martin C. Libicki Cyberdeterrence and Cyberwar , 2009 .

[7]  Kenneth J. Knapp,et al.  Ten Information Warfare Trends , 2007 .

[8]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[9]  Nigel Inkster,et al.  Information Warfare and the US Presidential Election , 2016 .

[10]  Scott Mensch,et al.  Information Security Activities of College Students: An Exploratory Study , 2011 .

[11]  Richard A. Clarke,et al.  War from Cyberspace , 2009 .

[12]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[13]  G. McGraw Cyber War is Inevitable (Unless We Build Security In) , 2013 .

[14]  Aasha Bodhani Bad... in a good way [Information Technology Security] , 2013 .

[15]  D. Dittrich,et al.  Active Response to Computer Intrusions , 2005 .

[16]  W. Earl Boebert A Survey of Challenges in Attribution , 2011 .

[17]  H. Lipson Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues , 2002 .

[18]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[19]  T. Jordan,et al.  A Sociology of Hackers , 1998 .

[20]  B. Buchanan,et al.  Attributing Cyber Attacks , 2015 .

[21]  T. M. Chen,et al.  Stuxnet, the real start of cyber warfare? [Editor's Note] , 2010, IEEE Netw..

[22]  Clifford Stoll,et al.  The Cuckoo's Egg , 1989 .

[23]  Kenneth Einar Himma Internet security - hacking, counterhacking, and society , 2007 .

[24]  Kathryn C. Seigfried-Spellar,et al.  Cybercrime and Digital Forensics: An Introduction , 2015 .

[25]  Michele Tomaiuolo,et al.  International Journal of Cyber Warfare and Terrorism , 2014 .

[26]  John Markoff,et al.  Take-down : the pursuit and capture of Kevin Mitnick, America's most notorious cybercriminal : by the man who did it , 1995 .

[27]  Danny Bradbury Fighting botnets with sinkholes , 2012, Netw. Secur..

[28]  L L Curtin When virtue becomes vice. , 1993, Nursing management.

[29]  Rain Ottis,et al.  Estonia after the 2007 Cyber Attacks: Legal, Strategic and Organisational Changes in Cyber Security , 2011, Int. J. Cyber Warf. Terror..

[30]  Winfried E. Kühnhauser Root Kits: an operating systems viewpoint , 2004, OPSR.

[31]  H. V. Jagadish,et al.  Information warfare and security , 1998, SGMD.

[32]  M. Bailey,et al.  Towards Community Standards for Ethical Behavior in Computer Security Research , 2009 .

[33]  S. V. Evera The Cult of the Offensive and the Origins of the First World War , 1984 .

[34]  Ellen Spertus Why are there so few female computer scientists , 1991 .

[35]  James H. Cross,et al.  Reverse engineering and design recovery: a taxonomy , 1990, IEEE Software.

[36]  Paulo Shakarian,et al.  Cyber Attribution: An Argumentation-Based Approach , 2015, Cyber Warfare.

[37]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.