IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Where Next With Hacking Back Against Cyber Crime?

After the recent ransomware attacks against Colonial Pipeline, JBS and others, there are new calls for the U.S. to hack back against cyber criminals and hold nation-states responsible. So what now?   

Vladimir Putin
In his first foreign trip since being sworn into office, President Joe Biden is in Europe this week to meet with global leaders, including Russian President Vladimir Putin. There are numerous important aspects to this story and lots of advice on how Biden should handle the situation. But one closely watched aspect to this story includes what can be said, and done, to curtail cyber crime and stop accelerating ransomware attacks?

The Russian government has denied any involvement in ransomware, which may be technically true, but many global leaders are calling for countries to do more to stop criminals who may be operating within their borders.

Indeed, FBI Director Christopher Wray compared the ransomware challenge to 9/11 and called for a coordinated fight across society.

I appeared on MiTechNews last Monday with Mike Brennan to discuss our global ransomware situation, and what the U.S. can do to address the problems at a national level. (Note: It is widely recognized that public- and private-sector companies need to do more to protect themselves as a top priority.)

IS HACKING NOW BACK ON THE AGENDA?


There have been numerous articles over the past month calling for organizations to go on the offensive or “hack back” against the cybercriminals. Indeed, several articles caught my attention this past week:

Idaho News: “BSU cyber expert: USA needs to ‘hack back’ at ransomware extortionists”
"Edward Vasko is the director of the Institute of Pervasive Cybersecurity at Boise State, created in 2020 to analyze and teach ways to protect our computers and devices from cyber attacks such as the growing threat from ransomware wrongdoers. … Vasko says the challenge facing America now is to play solid defense while developing a strong offense: in other words, learning to hack back.”

American University: “Hack-Back: Toward A Legal Framework For Cyber Self-Defense”
"The rights of private entities to use reasonable force has not extended to cyberspace. Under current law, it is illegal for the victim of a cyberattack to “hack-back” — that is, to launch a counterattack aimed at disabling or collecting evidence against the perpetrator. This blanket prohibition imposes enormous constraints on the private sector’s ability to respond to cyberattacks. Criminalizing self-defense outright would seem ridiculous in the physical world, but cyberspace blurs the traditional conceptions of property, security, self-defense, and the role of the state.”

Forbes: “As Ransomware Hackers Sit On Millions In Extorted Money, America’s Military Is Urged To Hack Back”
“The Dutch police took charge of testing and deploying the hack. When asked what such hacks involved, Marijn Schuurbiers, deputy head of the Dutch High Tech Crime Unit, told Forbes his team do similar things that criminals would do, in particular, “privilege escalation,” where a computer is breached and the hacker takes over administrator privileges.” From that point, you can basically do everything that you want.” And, he added, this could be done across multiple servers at once. ... The Biden administration is being called on to go even further than those law enforcement bodies and use the powers of military agencies like the U.S. Cyber Command to launch offensives on cybercriminals. “If the target has a strategic impact on the country, like the Colonial Pipeline, or the healthcare system, or the banking system, it doesn't matter whether it's a criminal or a nation state,’’ added Williams, the former Pentagon official. “We have to stop saying our job is to go after the nation state attackers. Our job has to be to go after the attackers who have a strategic impact on our country.”

Reuters: “Exclusive: U.S. to give ransomware hacks similar priority as terrorism”
“The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.

“Internal guidance sent on Thursday to U.S. attorney's offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.”

When I posted the first article from Idaho News on LinkedIn, the reactions were all over the map. Here are some of the notable comments:

Dr. Dave Schippers, Sc.D., CISSP: “This is a Pandora's box. In some sense, I agree and in others, I don't. My biggest concern — will this turn into a slippery slope? I'm finding myself asking the question more frequently - what are the ethical implications of such actions? I'm not saying what is or is not ethical here. When people start demanding action - we need to assess this objectively and consider long term pros, cons and ethical implications. We have to respond logically and free from emotion to avoid ethical dilemmas. Those are my initial thoughts.”

Chip Block, Vice President and Chief Solutions Architect at Evolver, a Converged Security Solutions Company, wrote: “As the article you wrote a few years ago points out, we have been discussing this topic for a long time. Hack back has morphed into a kind of mercenary activity that most prefer not to talk about. I don't see that changing purely from a liability side. If the attackers use a hospital system to launch their attacks and your hack back brings down the hospital, that is big legal trouble. The reality is there are some situations that it makes sense, DDOS being the primary. Hacking back in the middle of a ransomware would be in the "incredibly stupid" category because you may destroy any chance of getting the decryption codes. …”

Mark Dobson from NextUse wrote: “Dan, I think it's reasonable and established doctrine when under threat to utilize a mix of offense to deter and defense to prevent further aggression.

“But, I think it’s unavoidable and inevitable that this will escalate, leading to the concern of where will the escalation stop? When one country damages another’s critical infrastructure badly enough that it costs millions/billions to repair or kills 10s/100s/1000s of people? When that, in turn, leads to a kinetic response that escalates into a declared war IRL?”

You can read the other comments and join the discussion on this LinkedIn thread here:

HACKING BACK IS NOT A NEW TOPIC


As Mark alluded to, this topic has been around for a while. It seems to come up most at periods of major data breaches and/or cyber attacks that seem to go “over the line.” Here are a couple of previous articles I have written on the topic of “hacking back”:

Can ‘Hacking Back’ Be An Effective Cyber Answer?” (2016)

"With the exponential growth in data breaches over the past few years, the concept of ‘hacking back’ is growing in popularity. Proponents ask: If I can use a gun for self-defense in my home, why can’t I similarly ‘hack back’ against attackers who invade my cyberspace? Let’s examine that premise from different perspectives. …

“What can be done? One popular answer is taking the battle to the bad guys. People call it many different things, from offensive cybercapabilities to electronic countermeasures to strike-back to hacking back or hack back."

Hack Back Law: Why the Future May Be Like the Legalization of Marijuana” (2017)

"Hacking back has been in the news a lot in 2017, with new proposed legislation that would legalize forms of a more “active defense” for companies. When added to the flurry of ‘hack back’ activity that is below the public radar right now, it seems likely that some form of legalization is inevitable. …

“Furthermore, I have heard many trusted experts describe their experiences with hacking back at various companies and describe the legalization (with precautions) as an inevitable next step.

“Also, the recent string of major data breaches, from Equifax, to the SEC, to a long string of other major data breaches, is causing more public outrage over cybersecurity than ever before."

THE UPCOMING U.S.-RUSSIA SUMMIT


A few weeks back, this article from The Hill suggested that President Biden was stepping up pressure on the Russians to go after cyber criminals in their country.

The response to that post on LinkedIn was immense, with Mark Wallace from Data by Design LLC saying, “If the Russians can look you in the eye and deny any involvement with multiple Novichok (a chemical warfare agent developed, and solely possessed, by the Russian Army) poisonings, I'm pretty sure they can deflect any attempts to blame them for hacking. There's no ‘smoking gun.’ The fact that some software modules of Russian origin were used in the ransomware hacks doesn't come within a million miles of showing that the Russian Government, or its agents, took part. The modules are available to anyone on the Dark Web.”

My response to Mark (and views on this upcoming summit) were: “Well said, good points and understood. And yet, as in so many situations with adversaries involving espionage over decades, there are always 2+ sets of deals. One for public consumption and another behind the scenes.

“Many good books on this topic going back to the Cold War; one excellent one I reviewed here: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/book-review-the-spy-in-moscow-station.html.

“I agree that they will ‘look us in the eye and deny’ lots of things — as we do to them and others in public and the UN. Lots of reasons for this. including classified operations (black ops), domestic politics, NATO and more.

“But I still stand by my partial ‘deal’ possibilities behind close doors. There are no doubt classified details we cannot share on LinkedIn showing Russia’s involvement, as stated by the FBI. This is very complicated to say the least, and the players get murky and wear multiple hats.

“But I do agree, as I concluded, that the hacking will not stop — because it is one of their best weapons. But pause? Slow? Perhaps. Evolve? Absolutely.”
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles