Rules for Cybersecurity

Given the ongoing discussions surrounding „Hackbacks“ and regulations regarding „intrusive Cybersecurity,“ I propose the following rules:

  1. Acknowledging our society’s reliance on IT, especially critical infrastructure such as energy and hospitals, which are integral to our daily lives.
  2. We commit to refraining from using our knowledge to compromise critical infrastructure even during conflicts. ( Is it viable to designate IP ranges as critical infrastructure? Could a service be established to identify such critical infrastructure? )
  3. We will responsibly disclose information about attack vectors and zero-day vulnerabilities, refraining from selling or utilizing them in any way.
  4. Should the creation of trojans or viruses utilizing zero-day vulnerabilities occur, disclosure to all relevant parties will be mandatory. Failure to disclose may lead to the creation of more potent and potentially life-threatening attacks, unbound by national or state limitations.
  5. We pledge support to any nation where our infrastructure is employed to cause harm contrary to our local laws. For instance, in cases where botnets are utilized to distribute encryption software, they should be dismantled, and those responsible brought to justice. In such instances, hackbacks are unnecessary.
  6. Research in secure environments must be permitted, and its outcomes should be openly shared.
  7. We commit to using AI solely for non-intrusive purposes.
  8. AI will be utilized to deactivate network segments and deploy passive countermeasures.
  9. AI will aid in identifying zero-day vulnerabilities and conducting scans, with mandatory disclosure of findings.
  10. AI will not be employed to develop a new generation of viruses, launch active attacks on systems, or deceive individuals for potential misuse.