Should there be restrictions on the release of hacking tools?

This is a text outline of the interactive version available here

1.1. No. Authors of such software should decide for themselves what the best release policy should be

1.1.1. Pro: Authors of security tools are in the best position to make judgements on whether to share and how much, and routinely do
1.1.2. Pro: Pissing off the infosec elite is a cause worth fighting for
1.1.3. Pro: Effective defenses against entire classes of attacks tend to only happen as a result of the sharing of new techniques and implementations of them. For example, Mimikatz led to PPL's then eventually to Credential Guard. msdn
1.1.4. Pro: Most of those who release code already believe sharing is the best option, ensuring a voluntary restriction would have no effect
1.1.5. Pro: Underprivileged people will be empowered through access to shared code to gain functional familiarity with modern security techniques. They will be able to both gain skills and demonstrate their skills through the release of their own code, improving the information security industry's talent pool and effectiveness over the long run in addition to their own economic and career success.
1.1.6. Con: Offensive Security Tool publishing to the unrestricted internet affords threat actors free and deniable capabilities which can be used in a semi-disposable manner without incurring cost.
1.1.7. Pro: these tools, in an open source and freely available form, serve a real purpose in identifying and verifying security misconfigurations and/or detection gaps
1.1.8. Pro: Publicly shared techniques are frequently essential to gain access to otherwise inaccessible data. This true offense is critical for law enforcement investigations related to child exploitation, anti-terror intelligence gathering, understanding motives and goals in international political disputes, and exposing corruption. Pro: Countries like the US place a higher value (spend more money) gaining access to information (offense) than protecting information (defense). The US IC budget in 2017 was $73.0 Billion link which is nearly three quarters of the total global information security market in 2017 $104.60 billion link and significantly more than the US information security market. Con: Some law enforcement/intel agencies, like the NSA have a large budget and would not be significantly harmed by reduced public capability sharing since they could recreate many techniques and/or would have access to the private sharing pools. Pro: Publicly shared techniques and code have been critically important to the operations of individuals or small groups who have unmasked human rights abusers and companies that support them like Gamma Group, Hacking Team, and others Pro: Publicly shared techniques and code have been critically important to the operations of individuals and groups who have hacked and tracked malicious actors, revealing between hundreds and thousands of intrusions and enabling security teams to clean hundreds of thousands of hacked systems Hack-Back DB Pro: Leaked and discovered law enforcement and intelligence toolkits show they make heavy use of public techniques and code.

1.2. There should be voluntary restrictions such as a professional standard or common shared practices discouraging the release of hacking code, but not enforced by government

1.2.1. Con: -> See 1.1.4.
1.2.2. Pro: Bureaucrats in regulatory agencies and hard rules are notorious for misunderstanding technical intricacies and would make things worse Pro: Standards proposed to identify bad code that should be generally banned, such as "evasive" or "concealing" code are critical functionality of essential "good" code such as hunting software, AV, and EDR. It's impossible to discriminate except on self-applied labels, which are easily swapped out. MetaSploit could be branded MetaHunt. Tunneling through different ports, protocols, and wrapping in encryption is a core feature of Skype and asset discovery tools.
1.2.3. Con: Voluntary restrictions already in place, such as Cobalt Strike sales restrictions and licensing, are routinely and almost trivially circumvented
1.2.4. Pro: -> See 1.1.6.

1.3. Sharing hacking tools should be mandated

1.3.1. Pro: -> See 1.1.8.
1.3.2. Con: There's no effective way to enforce sharing private techniques since they are hidden by default
1.3.3. Con: Forced sharing would violate long-standing copyright standards and likely international agreements
1.3.4. Pro: -> See 1.1.3.
1.3.5. Pro: -> See 1.1.7.
1.3.6. Con: -> See 1.1.6.
1.3.7. Con: -> See 1.1.1.

1.4. There should be government controls on the release of such tools, punishing the distribution of hacking code either by criminal or civil penalties

1.4.1. Con: If controls are effective, underprivileged people will be even more institutionally disadvantaged by losing access to code necessary to gain functional familiarity with modern security techniques. The information security industry will lose out on talent and be less effective over the long run.
1.4.2. Con: If penetration testers, security teams, etc. are unable to get and use such code, they will be unable to demonstrate true security risk, leaving most clients unprepared for real intrusions.
1.4.3. Con: If most penetration testers and security teams etc. are granted exceptions to share and access such code, criminals and APT groups will inevitably also gain access making the controls counterproductive, only restricting blue teams
1.4.4. Con: -> See 1.2.2.
1.4.5. Con: -> See
1.4.6. Pro: -> See 1.1.6.
1.4.7. Con: -> See 1.1.8.
1.4.8. Con: New techniques shouldn't be banned because they're simply demonstrations of flaws or undocumented behavior in products, frequently of competitors. Any such ban would be most commonly abused to simply prevent disclosure of issues, leaving society as a whole in a far worse place.
1.4.9. Con: Most hacking tools are reproductions of known techniques, and there is a limitless supply. It would be as impossible to enforce a ban as it is to prevent the illegal sharing of music.
1.4.10. Con: Banning the sharing of new techniques, which are ideas, in the US would likely require repealing the 1st amendment (and possibly 2nd as well) which would be a strong net negative due to the loss of free speech.

Comments are closed.