The whole “hack back” movement is entirely misguided. And please stop with the analogies to ‘stand your ground’, as they are not applicable. A better analogy is saying if someone breaks into your house, you should have the right to break into their home or whomever you think did it (because you really won’t know). Not such a good idea.
Now consider whom you will be empowering to make such decisions…. those who aren’t responsible enough to manage the defense of their environment in the first place, much less truly understand where the actual attack is originating. They will be acting out of rage, fear, and with weapons they have no concept of potential collateral damage.
Every time I have heard an executive wanting to be able to ‘hack back’, it was someone who as not savvy in the nuances of cybersecurity and lacked the understanding of how incredibly easy it is to make an innocent 3rd party look like they are the ones conducting an attack. Simple misdirection. It will become a new sport for miscreants, anarchists, social radicals, and nation states to manipulate their adversaries into making such blunders or be hacked-back by others who were fooled into thinking they were the source.
Instead, let’s first focus on learning the basics and applying good digital hygiene is crucial. Take basic steps to institute best practices to make it difficult for cyber-criminals to victimize others, work with white-hat hackers and researchers to harden products, and up-level the savvy of our users to close the easiest avenues of compromise. We need to think in terms of building a sustainable risk management environment where security adds to the overall benefit of technology.
Authorizing retribution and retaliation is a disastrous idea. Most organizations can’t comprehend the potential collateral damage from offensive actions. What if hack-back’s take down the power grid, shut down a hospital, or cripple communications of innocent bystanders? Yes, those are all very real scenarios.