Hacking tools tipped to become weapons of the state

Hacking tools tipped to become weapons of the state

Summary: Cyberspace will soon come under much greater legal control, according to one expert - who forecasts that denial of service attacks will eventually be ordered by courts of law against offenders

TOPICS: Security
Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries, he says.

Reidenberg told a seminar at the Oxford Internet Institute (OII) on Tuesday that democratic governments have an obligation to enforce their laws in the online space, as well as offline. Previously, this was thought to be extremely difficult due to the global nature of the Web.

"In the 1990s, it was thought states had no way of enforcing their laws online. That conventional wisdom doesn't stand up any more," said Reidenberg.

According to security experts, intelligence agencies have been conducting hacking attacks online for years. Reidenberg, though, sees a future where such actions would be just another legal instrument wielded by the state.

In 2000, a French court ordered Yahoo to block Nazi paraphernalia from being auctioned through its site in France -- where it is outlawed because it violates France's hate speech laws. But a US court later ruled that the decision could not be enforced in America, where Yahoo's servers were sited.

At the time, the French government was ridiculed in some quarters for believing that they could impose their laws on companies based in other jurisdictions.

But according to Reidenberg, the power of technologies such as distributed DoS attacks and worms means this is theoretically possible. "Distributed denial of service attacks and worms are characterised by having police powers," Reidenberg told the OII. "We think of them today as only being used by bad people, but these same instruments could just as easily be used by states to enforce legal judgements."

Some members of the audience at the OII expressed deep concern at this idea, suggesting that governments couldn't be trusted to wield such powers responsibly.

Reidenberg pointed out that the Chinese government has already imposed restrictions on Internet traffic -- the "Great Firewall of China" -- to prevent access to certain Web sites. He suggested that if a case similar to that between the French courts and Yahoo arises again, the company concerned could see itself virtually banned from that country. "States could soon have technology, if they haven't already, to intercept packets of data that they have decided shouldn't enter their country, in the same way we have officials patrolling national borders today," Reidenberg explained.

Another option could be an 'electronic blockage', where a company would be prevented from communicating across the Web outside of its home country. This would require the development of packet interception techniques, and would also need the help of intermediaries such as Internet service providers.

In the most extreme example, a company's Web site could even be taken offline by a distributed DoS attack, which Reidenberg likened to the "death penalty", if they failed to comply with a legal order.

One economist with links to the government who attended the seminar said she didn't believe regulators are considering such tools at present. But Reidenberg says that as sites such as Amazon, Yahoo, eBay and CNN have all been seriously disrupted by DoS attacks launched by malicious hackers, and that the same tools could be effectively wielded by the forces of law and order.

Before any of this can take place, though, countries will have to lay out clear rules for online enforcement.

Reidenberg told the OII that there must be prerequisite legal authority, stating the conditions when police can resort to online tools. This could include an assessment of the magnitude of the threat. For example, in the Yahoo France case, if the presence of Nazi memorabilia for sale online was likely to lead to public rioting, the French authorities could be justified in deciding to attempt to shut Yahoo down immediately.

According to Dr Stephen Coleman, visiting professor in e-democracy at the OII, Reidenberg's views are just one part of a bigger picture surrounding law enforcement and government action on the Internet. "There is some speculation about whether some of the necessary technology exists already," Coleman said, warning that he was extremely dubious whether we could ever have the effective global intelligence needed, as well as a truly accountable appeal process. "In terms of the use of disruptive technology, the UK government's secure intranet is hacked into once every three seconds -- primarily by its allies."

A senior official from Cable&Wireless also warned that there is a much greater degree of uncertainly about the location and identity of online agents, compared to offline. He believes this would make it much harder for courts to issue a warrant permitting action to be taken against a Web site rather than an offline entity such as an office.

Another hurdle to be overcome is the problem of third-party damage. An attack on an Internet bank or email provider could inconvenience Web users across many countries -- governments could find it impossible to justify causing such disruption.

Dr Reidenberg is currently working on a book about states and Internet enforcement. He recently published a research paper on the issue, which can be seen online here.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Isn't it much easier for law enforcement to order DNS owners to remove target's URL form their servers?
  • Professor Reidenberg's notion of using offensive malware (i.e. blended threats, worms, etc.) and DDoS attacks as enforcement tools is silly. Tools like those defy precise control after they have been unleashed. Without the ability to employ them with precision degrades their viability as tools of state.
  • only learnling hacking
  • I think these guys really mean it,the nerv,watch out what your doing on the net,couse
    ''online enforcement''could get u,and hack your PC fr' that,so could we be reading about
    the "virtual cops"well if thats the case,than i dont think these guys will pull u over,
    the will pull u into jail,and alsou give u as a bonus some fines and Harware cofiscation,
    that sounds smashing doesnt it,hmmm...well if these fat corrupted people that call them
    selves ''THE Goverment''really want to do this then hackers will start working "LEGAL"
    and get paid for it 2(Y),this is the positive side of the story,and if there isnt a turned on light bulb over your head,and your asking "But what is the Black side?",then u read this till u passout and dream it all,lol.