Is “Hacking Back” a Valid Response to a Cyber Incident?

Media Division | December 5, 2016

For years private corporations, from banks to healthcare facilities, have been lamenting the lack of government response to cyber incidents.  While there are plenty of “reasons” for the lack of support, from the difficulty of tracing hijacked computers to the foreign-origination of many hacks, the end result is businesses absorbing the cost: infrastructure, personnel, mitigation services, etc. all add up to a pretty penny.

Which raises the question, why not hack back?  Is it within your rights, and a perfectly valid response, to attack your attacker?  After all, the US government plans to retaliate against Russia for recent attacks during the US election race.

An eye for an eye, right?

The Benefits of Retaliatory Hacking

When it comes to retaliatory hacking, it may be in the best interest of the federal government to allow it.  Why is that? Because most hacks on US corporations likely originate internationally, often by state-sanctioned or nation-affiliated groups.  When a foreign entity hits a US company, it may even be an attempt to de-stabilize the American economy—itself a form of attack on the federal government.

If the US allows or supports private retaliatory hacking, corporations are doing some of the work for the feds.

Other federal benefits would be the law itself.  The US agreed to the terms of the 2006 Budapest Convention on Cybercrime, but private corporations may not fall under agreements made by governments.  That means that corporations would be doing the “dirty work” for the government, in ways the US cannot do for itself.

It’s kind of like hiring a private body guard.

Add to the list of benefits the methods of hacking that would be doing more investigative work than infiltration, some ideas include:

• Honeypots that compartmentalize data and would end up involving the authorities (thus revealing the hack attack of the perpetrator).

• De-authorizing systems of the hackers, so that in the re-authorization process their crimes would be unveiled.

• Using the hackers own computer or phone to photograph the hacker, which would then be handed over to authorities.

• Uncovering hijacked data and handing it over to authorities, instead of acting on any infiltrated information.

Hacking of that nature would be more like hiring a private detective: you aren’t damaging the investigative system, just bringing in your own back-up.

A Hack-Back Gone Wrong

Setting aside legality of a retaliatory hack, there are other things that could potentially go wrong. Those who have tried to target hackers sometimes get hacked in retaliation.  Even so called “white-hat hacking” can be a fine line, more gray than white.  What happens if you find yourself outmatched by your adversary?  If your code of ethics prevents you from taking things as far as your enemy would?

Points to consider:

• Hackers often utilize hijacked computers, of which the owner may be completely unaware.  If you retaliate, do you risk hitting the wrong target, and thus damage an unwitting middle man?

• If you utilize a so-called “active defense” technique, such as attaching malware to your own data (which would deploy should your data get hacked), do you risk damaging your own system?

• Can you simply mask your data in such a way as to make the real data unrecognizable and your accessible data worthless?  Similar to a museum hanging up a replication painting to protect the original, would such a tactic even work?

• In some countries, hacking might not be illegal, so you could hack someone without recourse, but since it is illegal in the US, you might be the one held liable (even if it was in retaliation).

Sun Tzu said “To know your enemy you must become your enemy,” but in becoming your enemy, are you the one who will pay the price?

Another Solution

Given the legal risk of employing overt hacking techniques as a retaliatory tactic, cyber security professionals are considering other solutions.  For example, improvement in information sharing.  Right now, privacy laws are such that if a cyber security firm discovers a hack on a client, that information cannot be shared with another client.  Cyber security agents try to work around such requirements by instead searching for known tactics and malware, without disclosing how such tools were acquired.

When the Cyber Intelligence Sharing and Protection Act proposed “the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities,” it died. While the bill wasn’t without fault, the point is that it has come up before—intelligence communities recognize that failure to share information has a price.

Still, more effective federal support and cyber intelligence sharing could better stop hacking (without your corporation needing to hack back).

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.