Do you “hack back”?
Some cybersecurity victims are taking retribution into their own hands. Is this really a good idea?
Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.
Although you may have never heard of it “hacking back” isn’t a new concept. Its potential merits, shortcomings and risks have been discussed as far back as 1999. But now a proposed act in the US seeks to make certain hacking back activities legal for the first time in the US. Perhaps it’s time to understand a little more about it and the moral and practical issues at hand.
So what is hacking back? As with many cyber security terms it’s difficult to find a definition that is universally accepted.
Back in 2013, PCWorld set out a loose definition “hacking back involves turning the tables on a cyberhacking assailant: thwarting or stopping the crime, or perhaps even trying to steal back what was taken”. In 2016, Techtarget defined hacking back as “accessing a computer, network or information system without authorization. The motive for an organization to hack back against an attacker may be to recover or wipe stolen data or intellectual property. Other motives for hacking back may be retaliatory in nature, including disrupting or damaging the attacker’s systems and degrading their ability to carry out future attacks.”
Hacking back can involve any of the following three actions:
- Deleting or retrieving stolen data
- Harming the hacker’s system
- Identifying the hacker and reporting them to law enforcement authorities
A real-life event provides a useful example of this phenomenon in action which rarely becomes public knowledge. London Bridge Plastic surgery’s cyber attack from October 2017 where the attackers accused the chief plastic surgeon hacking them back and stated that they “punished Christopher accordingly” which certainly sounded ominous though there is no detail on what was meant by this.
As with other forms of hacking, hacking back is certainly illegal in the US under the Computer Fraud and Abuse Act. According to Ray Aghaian (former attorney in the Department of Justice’s Cyber & Intellectual Property Crimes division) “there is no law that actually allows you to engage in an attack. If you attack an attacker, you’re in the same boat”.
However in some government and law enforcement circles it is now beginning to be seen as a potential solution to an ever-growing problem.
In 2015, Juan Zarate, the former deputy national security adviser during President George W. Bush’s administration, told a forum that “The U.S. government should consider allowing businesses to develop tailored hack-back capabilities. The U.S. government could give a private company license to protect its system, to go and destroy data that’s been stolen or maybe even something more aggressive”.
More recently, Lawfare, the influential blog for US law enforcement concluded that the US “should let victims of computer attacks try to defend their data and their networks through counterhacking”. In the UK, chancellor Philip Hammond has said “No doubt the precursor to any state-on-state conflict would be a campaign of escalating cyber-attack. We will not only defend ourselves in cyberspace but will strike back in kind when attacked.”
However, the info/cybersecurity crowd have met this potential solution with doubt, disbelief and vexation. They counter that hacking back requires years of technical expertise, probably direct hacking experience and that even with that it may still cause more harm than good.
What do you think of hacking back? We’d love to hear your thoughts.
Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.
