Potential for Hack-Back Legislation

Government officials and experts are weighing in on the concept of ‘hacking back’, the practice of potentially allowing U.S. companies to track down cyber attackers and retaliate.

Former head of the CIA and NSA outlined his thoughts to the Fifth Domain on the Hack Back issue currently being debated by Congress. He is cautious but has expressed an openness to allowing some levels of retaliation by private organizations.

General Hayden is a very sharp and brings unprecedented national intelligence experience to the table, but I must disagree with his position on the risks of enabling businesses to ‘hack back’.

I have had the pleasure of an in-depth 1:1 discussion with him regarding the long-term nation-state threats to the digital domain and have always been impressed with his insights. However, this is a different beast altogether.

Allowing U.S. companies latitude to hack-back against cyber attackers is very dangerous. I believe he is underestimating the unpredictable nature of business management when they find themselves under attack. Unlike U.S. government agencies, which firmly align themselves to explicit guidance from the Executive branch, the guard-rails for businesses is highly variable and can be erratic. Decisions can be made quickly, driven by heated emotion.

The average American business does not understand the principles of active defense, proportional damage, or have insights to establish and operate within specific rules of engagement. They certainly don’t have the capacity to determine proper attribution, gather necessary adversarial intelligence, or even understand the potential collateral damage of weapons they may use.

Instead, we can expect rash and likely volatile responses that lash out at perceived attackers. Unfortunately, cyber adversaries will quickly seize on this behavior and make their attacks appear as if they are coming from someone else. It will become a new sport for miscreants, anarchists, social radicals, and nation states to manipulate their targets into hacking-back innocent parties. As the meme goes, “On the Internet, nobody knows you’re a dog”.

Hack Back Consequences

What happens when threats impersonate hospitals, critical infrastructure, or other sensitive organizations when they attack. The hack-back response may cause unthinkable and unnecessary damage.

Congress is also considering allowing companies to ‘hack back’. Senator Sheldon Whitehouse recently indicated he is considering a proposal to allow companies to “hack back” at digital attackers.

Weaponizing Businesses

I think the whole “hack back” movement is entirely misguided.

Many compare it to ‘stand your ground’ situations, as they try to convince others to join public support. But such verbal imagery it is just not applicable. A better analogy is saying if someone breaks into your house, you should have the right to break into their home or whomever you think did it (because you really won’t know). Most would agree it is not a good idea when framed that way.

Now consider whom you will be empowering to make such decisions. Businesses who were not able or responsible enough to manage the defense of their environment in the first place, will be given authority to attack back. Yet, it is unlikely they will truly understand where the actual attack is originating. They will be acting out of rage, fear, and with weapons they have no concept of potential collateral and cascading damage it may cause.

Every time I have heard an executive wanting to be able to ‘hack back’, it was someone who as not savvy in the nuances of cybersecurity and lacked the understanding of how incredibly easy it is to make an innocent 3rd party look like they are the ones conducting an attack. When I brought up the fact it is easy to make it appear like someone else was behind the strike, such as a competitor, government agency, or hospital, the tone radically changed. Attribution for cyberattacks can take experts months or even years. Businesses have neither the expertise nor the patience to wait, when they want to enact revenge.

Simple Misdirection

If allowed, hacking back will become a new sport for miscreants, anarchists, social radicals, and nation states to manipulate their adversaries into making such blunders or be hacked-back by others who were fooled into thinking they were the source.

Allowing companies to Hack Back will not deter cyberattacks, rather it will become the new weapon for threats to wield against their victims.

Interested in more insights, rants, industry news and experiences? Follow me on Medium, Steemit and LinkedIn for insights and what is going on in cybersecurity.

6 votes, average: 4.50 out of 56 votes, average: 4.50 out of 56 votes, average: 4.50 out of 56 votes, average: 4.50 out of 56 votes, average: 4.50 out of 5 (6 votes, average: 4.50 out of 5)
You need to be a registered member to rate this.
(598 total tokens earned)
Loading...

Responses

    1. Matthew Rosenquist Post author

      Thanks! Being conflicted is a good tool to evaluate the many sides of an argument. I too find myself wondering how this could be beneficial in some cases, even many cases, but then get caught up on how it will likely be used. I was debating it the other day with a colleague who is responsible for security at a company. They had a great point that his staff would do well in showing restraint and doing due-diligence in figuring out who might be attacking his company, then for only a few, go after the attacker. That is great, but then I asked him about others in his sector. Do they have the same level of rigor, discipline, and forethought? Will they act within parameters of logic? His answer was ‘no’. And that is where ‘Hack Back’ arguments fall apart. We all think ‘we’ will act properly, but know there are many out there who wont. If they then accidentally are lured to attack innocents, including yourself, then more damage is done, not less. To put it another way, everyone thinks having a tank would be cool, but nobody wants the neighbors kids down the street to have one.

      (1)
  1. silvergoldcrypto

    @mrosenquist this was a good and interesting read. my first response would have been to say yes, they should be allowed to retaliate. but after reading I see the complexities involved. however, I do think this kind of chaos is coming in any case due the increasing importance of digital assets.

    (1)