A bill was recently introduced in the US congress that would allow private organizations to ‘hack back’ when attacked. This is a Bad Idea™ that should be quickly put to rest – no good can come of it.
When we’re attacked, spoofed, phished, or just annoyed with junk phone calls, it’s human nature to want to return the favor. Companies spend large and growing resources on cybersecurity that could better be spend building new and innovative products. Unfortunately we don’t live in Utopia, and directions there don’t seem to be loaded into our GPS. So we try to protect our organizations as best we can given resource constraints. So should we divert a portion of that capability to hack back at attackers? For private organizations, absolutely not. Let me explain.
It goes back to the problem of attribution, which I’ve written about in the past. Our adversaries are well versed in covering their tracks, planting misdirecting evidence, and throwing blame on innocent third parties. Hacking back is far more likely to inadvertently hit a different victim of the hackers than the actual actors themselves. Worse, we know the bad guys would use this as a new threat vector. Rather than attacking company A directly, they’d hack those servers, and use them to hack company B. When B retaliates against A, they do far more damage than the original hack. If the two firms are direct competitors, then the only ones who really win in this situation are the bad guys and trial attorneys. Oh, and on that last point – no legal counsel worth their salt is going to authorize a hack-back by a private entity, regardless of what the law says.
You’ll notice I’ve only talked about private organizations, which leaves law enforcement or national intelligence and defense. I’m not going to address ethics of ‘stockpiling’ vulnerabilities, but there’s no question that those agencies and the military definitely possess offensive cyber-attack capabilities. Should those be used on behalf of private organizations? Only as much as is necessary for attribution and criminal prosecution – and even then, only with appropriate authorization and oversight.