All around the world, companies, governments and individuals are becoming increasingly frustrated over the lack of effective solutions to our growing criminal problems in cyberspace. For many, the bad guys are not just winning, they are currently crushing the good guys with few negative consequences.
When it comes to cybercrime, online attacks against critical systems, destructive malware and other forms of cyberattacks, more experts are coming to the conclusion that "just playing defense" is a losing online strategy in the long run.
What can be done? One popular answer is taking the battle to the bad guys. People call it many different things, from offensive cybercapabilities to electronic countermeasures to strikeback to hacking back or hack back.
While there are many different definitions and stories about hacking back, the term basically “involves turning the tables on a cyberhacking assailant: thwarting or stopping the crime, or perhaps even trying to steal back what was taken.”
The Supportive Case for Hacking Back
According to a growing number of security experts, there are steps that could be taken to allow for progress in this area.
In a House Foreign Affairs Committee hearing held in September last year, Chairman Ed Royce, R-Calif., noted that the nation's intelligence chiefs have lamented the lack of a clear national cyberdeterrence strategy:
"From the private sector to government, our country is taking body blow after body blow in cyberspace," Royce said in his opening statement. "Why aren't we hitting back?"
James Lewis, director and senior fellow in the Center for Strategic and International Studies' Strategic Technologies Program, said hitting back could be just the thing.
"We need to make credible threats," he said. "We need to have countries believe that we will respond with punitive action."
While Israel, Russia and, to a lesser extent, the United Kingdom and France have all shown they'll hit back after a cyberattack, the U.S. has lagged, Lewis said.
Several other experts also testified on what cyber-counter-attack steps might make sense.
But those discussions involved government actions. What about the private sector?
Earlier in 2015, Juan Zarate, the former deputy national security adviser for counterterrorism during President George W. Bush’s administration, told a forum at the Hudson Institute that “The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation’s businesses, a former government official says.”
Many U.S. businesses have limited options for defending their IP networks, and the nation needs to develop more “aggressive” capabilities to discourage cyberattacks, said Zarate.
The U.S. government should consider allowing businesses to develop “tailored hack-back capabilities,” Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute. The U.S. government could issue cyberwarrants, giving a private company license “to protect its system, to go and destroy data that’s been stolen or maybe even something more aggressive,” he added.
Several panelists at the Hudson event contributed to a new report, Cyber-Enabled Economic Warfare: An Evolving Challenge.
Furthermore, TheGuardian (UK) highlighted the perspectives of Dennis Blair, former director of national intelligence in the Obama administration, who has come out in favor of electronic countermeasures. Here’s an excerpt:
Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.
Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.
Significant Concerns With Hacking Back
Beyond the fact that it is illegal to hack back, there are currently a long list of concerns with going on the cyberoffense. Several of these are listed in this Kaspersky blog. Here are four:
- Attackers can remain anonymous forever
- Cyberattacks are asymmetric: a single hacker is capable of successfully destroying an entire company
- It’s cheap and easy for hackers to regroup almost anywhere, anytime, even if their systems are physically destroyed
- Organized crime has enthusiastically embraced cybercrime (i.e., don’t expect them to play nice)
Along the same lines as item No. 1, researchers point out the difficult problem of attribution — that is knowing who really attacked you in cyberspace.
Jason Hong, associate professor at Central Michigan State University, said “Companies should absolutely not hack back against cyberthieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party. ...”
Questions abound regarding how this world work if everyone was attacking everyone else, which could lead to even more chaos. What is the threshold test for the level of certainty required to enforce rights?
This Security Week article contains quotes from many different industry experts regarding their views on hacking back. I find several of the quotes to be interesting, such as Chris Pogue from Nuix:
"When asked about the concept of hacking back, the answer is simple. It's cyber vigilantism. It's illegal. Don't do it. So as not to operate in the world of such moral absolutes, let me provide some additional details into why this is a horrible idea:
1. Poking the Bear — Attackers, regardless of their skill level, enjoy several advantages, not the least of which is that they are hackers and most IT professionals are not. ...
2. Who are you attacking — A large percentage of attacks take place from something called, "Jump Servers" or "Jump Boxes. ..."
3. Don't start an international incident — Many countries from which these attacks are launched consider cyber-attacks tantamount to an act of war. ...
4. We have people for that — There are federal agencies like the Secret Service, the FBI, the CIA, and the NSA whose job it is to handle situations like this. ...”
Is There Any Middle Ground?
In a Financial Times article last summer, John Strand described a set of 20 tricks and traps to thwart cybercriminals.
“The main active defense tactics as the three As: annoyance, attribution and attack. Only two of the three As are considered above-board, however.
Annoyance involves tracking a hacker and leading him into a fake server, wasting his time — and making him easy to detect. A new generation of start-ups is specializing in building traps for data centers, including two Israeli companies, TrapX and Guardicore.
Attribution uses tools to trace the source of an attack back to a specific location, or even an individual hacker. The two most popular tools in the ADHD kit are attribution techniques: the “honey badger,” which locates the source of an attack, tracking its latitude and longitude with a satellite picture, and beacons, which are placed in documents to detect when and where data is accessed outside the user’s system.”
But it is the third A — attack — that is most controversial. To “hack back,” a company accesses an alleged hacker’s computer to delete its data or even to take revenge. Both of these steps are considered illegal.
I believe that it is important to reiterate the three options laid out by the Financial Times: annoyance, attribution and hacking back.
Clarity is important, and there is a big difference between leading a hacker to a fake server (using “honeypots” or other tricks) or trace their sources of attack and taking revenge or deleting data from other systems. No doubt, the lines can get fuzzy at times, but the reality is pretty clear for most people.
Despite the many challenges to hacking back that exist today, the concept of self-defense in cyberspace is bound to lead to new laws and new clarity in regard to hacking back.
It seems to me that the biggest difference between a gun self-defense policy and cyber self-defense policy is the absolute certainty that a person has when someone is running at you with a knife or a gun in your home. There is almost no doubt who you are fighting and what needs to be done in the physical world, and cyberspace brings a host of unknowns. Bottom line, attribution is very hard.
Nevertheless, I believe that new approaches will emerge over the coming decade, which may change the playing field in cyberspace. I’m not exactly sure how we will solve the difficulties, but I have a strong feeling that this “hacking back” topic is just beginning to heat up.