We’re back to hacking back.
Actually the topic never really went away, but the practice has received growing attention since I wrote my initial blog on the topic over 18 months ago. That piece, titled Can ‘Hacking Back’ Be An Effective Cyber Answer?, defined relevant terms, gave examples and made the case for and against new "hack back" laws.
So why revisit the topic now?
Answer: A recent article in The Daily Beast described (in new detail) what’s actually happening on the ground now regarding hacking back, while elevating the topic to new levels of global interest. Here’s an excerpt from Revenge Hacking Is Hitting the Big Time:
“This is the underground practice of hacking back, where private companies and individuals retaliate against hackers to protect their own networks or data, often breaking laws in the process. But despite being something of an open secret in the information security world, examples of what exactly happens behind the scenes of these hacking campaigns rarely make their way into the public, stifling the debate on whether this practice should be the norm.
Soon, hacking back may become legal too, if a piece of legislation proposed earlier this year by a Georgia congressman passes.
‘Almost every large organization I consult with has some form of hack back going on,’ Davi Ottenheimer, president of security consultancy FlyingPenguin, and who has engaged in the practice, told The Daily Beast.”
Furthermore, I have heard many trusted experts describe their experiences with hacking back at various companies and describe the legalization (with precautions) as an inevitable next step.
Recent Media Coverage on Hacking Back
There is no shortage of well-written articles on this topic that have emerged in 2017. Starting on “why this is a bad idea” side of the equation, here are a few to consider:
Motherboard.com (discussion from March 2017): FBI Director Tells Companies Not to ‘Hack Back’ Against Hackers — “Last week, a Republican congressman proposed a ‘cyber self-defense’ bill, which would allow companies to counterattack against hackers. The Active Cyber Defense Certainty Act (ACDC) would make changes to the infamous Computer Fraud and Abuse Act (CFAA), giving room to private actors to collect information about hackers in an attempt to identify them — in other words, hacking back.
But former FBI Director James Comey is against this general idea, and not just out of legal concern. In a speech and Q&A session at the Boston Conference on Cyber Security on Wednesday, Comey said this sort of hacking back could disrupt the FBI's own work when trying to apprehend criminal hackers. …”
Wired magazine: Letting Cyberattack Victims Hack Back is a Very Bad Idea — “Here's the problem with retaliating: As many recent hacks have shown, it's extremely difficult to identify the entities behind cyberattacks. Attackers cover their tracks by routing strikes through others' computers, which makes hack-back attacks likely to be misdirected at computer systems belonging to innocent third parties. …”
Engadget.com: If hacking back is law, what could possibly go wrong? — “Brian Bartholomew, senior security researcher at Kaspersky Lab, told Engadget, ‘While the proposal's intent is to make it more difficult for an attack to be successful, it also raises major concern within the community.’ He explained that for starters, it's impossible to contain what data the victim touches when they're hacking back, destroying the bill's rule that victims only mess with their own stolen property.
‘Another concern is for chain-of-custody preservation,’ Bartholomew told Engadget, even if victims tell law enforcement what they're about to do. ‘Providing a "plan of action" is a far cry from possessing the proper training or legal expertise on how to preserve evidence that will be upheld in a court of law,’ he explained. ‘It is only a matter of time until the first criminal is prosecuted and evidence [is] thrown out due to improper chain of custody or documentation. …’"
On the more ‘pro hack back’ law side, we have these 2017 articles:
The Atlantic: When Companies Get Hacked, Should They Be Allowed to Hack Back? — Stewart Baker, a former homeland security assistant secretary under George W. Bush, advocacy for hacking back is driven not by industry interests so much as his own deeply held belief that government officials and law enforcement agencies are incapable of addressing online threats themselves. “It’s like the NRA saying, ‘When seconds count, the police are only minutes away,’ except the police are days away when you’re talking about cybercrime,” Baker says.”
FT.com: Push to let companies ‘hack back’ after WannaCry — “WannaCry, the ransomware that ransacked servers from hospitals to telecoms, could have been prevented if companies were allowed to 'hack back,' according to a Congressman behind a new bill that aims to improve cyber security defences. …”
The Active Cyber Defense Certainty Act (ACDC) would exempt victims from hacking laws when the aim is to identify the assailant, cut off attacks or retrieve stolen files. …”
Why Use a Marijuana Analogy?
I love analogies. I think they can help readers put complex concepts into a new context to see important issues in new ways. Here are a few articles with analogies that I’ve used over years:
CIO Magazine — Dr Jekyll and Mr. Hyde: Managing Online Indulgence
Govtech.com — 2016: The Year Hackers Stole The Show — With A Cause
Analogies can relate a topic like the legality of hacking back into a different framework to help anticipate the likely future course of an issue. So here’s a new analogy for you, hacking back will become legal in some parts of the country and/or world following a very similar path as the legalization of marijuana.
Of course, as Time magazine points out, the legalization of marijuana is still very controversial in society. Marijuana (also called cannabis) use of any sort, whether for medical or recreational purposes, remains illegal under federal law. The Time article states that the legalization process has mainly come from citizen support at the state level for medical access and decriminalization, through lobbying, activism and ballot initiatives.
Another benefit of looking at these topics side by side is to learn from history. I have seen that history repeats itself all the time regarding cybersecurity and technology topics, and we need to learn from the situations and legal issues that have set precedents.
Is Hacking Back Heading in the Same Direction as the Legalization of Marijuana?
You’re probably thinking: Why are these very different areas of life similar in a legal context? I list some of the similarities below. To be clear, I am comparing the practice of using marijuana in various contexts becoming legal to the practice of companies or individuals hacking back becoming legal, after the person or company was hacked online. (Note: The exact definition of what it means to be hacked or to suffer a data breach will need to be clarified for these new laws, but there are precedents for these definitions.)
Here are similarities between these two (seemingly unrelated) practices becoming allowed under law:
The legal status quo isn’t/wasn’t working in both cases in society. (Note: in the case of marijuana use, criminalizing users was/is often seen as not as effective as dealing with the issue as a public health problem.) Issue getting worse and costing more law enforcement dollars with inadequate or worsening results. (Note: In the case of data breaches and cyberattacks, law enforcement actions are not stopping the rapid growth in cybercrime.) "Underground" activity was/is happening anyway to implement practices. Central argument that “bringing the practice out of the shadows” will bring more discipline and standards to forefront, slow down negative consequences, add tax revenue, and bring overall better results. Both practices have proponents fighting for legalization in various state and federal and international jurisdictions. Both of these practices were (and are) legal in other parts of the world. In the case of hacking back, there is little doubt that global companies can conduct these hacking activities in other countries, if the U.S. continues to outlaw the practice. Local jurisdictions (and states) will argue that we don’t want to let good tech jobs move overseas. Rather, can we attract more high-paying jobs here? Law enforcement engagement between state, federal and international levels face challenges with conflicting regulations. It remains an open issue as to how far authorities will go to enforce the current laws that are on the books now in both the areas forbidding marijuana use and forbidding hacking back in “self-defense.” Of course, the trouble with analogies is that they fall apart if taken too far. There is no doubt that hacking back is a very different practice than using marijuana in many ways. Nevertheless, studying the legal path forward side by side can offer pragmatic benefits and lessons learned, in my opinion.
Final Thoughts: Where Next with Hacking Back?
Even if you are against both hacking back and non-medical marijuana use for any number of reasons (as I am), you can still recognize the pragmatic reality that these practices continue to expand in America today. Side analogy: This is similar to cheering for my favorite football team, but recognizing that it is likely that they will lose an upcoming game.
I expect to see additional steps taken to legalize hacking back in the coming years, with certain constraints and regulations applied. We may even see the development of formal licenses and/or certifications guiding who can hack back and when — just as marijuana use was initially authorized only for medical uses, when prescribed by a physician. Whether "hack back practices" expand beyond this (as marijuana use has done in some states) will depend upon a wide variety of factors — including initial results.
In this regard, I expect to see (by 2020) more public-private partnerships to ensure that any “authorized” or “legalized” hacking back is done in “safe” ways. We will probably see law enforcement organizations, who often lack the needed technical expertise to fight hackers, decide to “deputize” certain private-sector experts to help fight cybercrime under supervision.
To elaborate further on the fourth point above, The Daily Beast article ended with these words:
“… According to proponents of hacking back, authorizing the practice could make it much safer.
‘By bringing it into the sunlight, we would be able to assess the risk squarely rather than behind closed doors and pretend it doesn’t exist,’ Ottenheimer, the president of the security consultancy who has hacked back, said.
‘We are missing an opportunity to regulate something that is already happening,’ he added.
Regardless, companies will continue to strike back, in the shadows, whether lawmakers push for change or not.
‘It was effective,’ the consultant who hacked for the global bank firm said.”
These arguments sound a lot like the same arguments that were (and are) being made for the spread of the legalization of marijuana “in safe ways.”
And while I know that some cyber experts will argue that this analogy is flawed, I believe the similarities can be helpful to use in public discourse. No doubt, these two practices may go in opposite directions as far as public opinion and acceptance, since one is not tied to the other.
Nevertheless, I expect to see much more hacking back over the next few years — with more companies and individuals demanding that the practice become legal.