For those who are not cybersecurity experts, “hacking back,” against your attackers in the case of a data breach or cyber security incident may sound logical at first. However, correctly attributing blame to the appropriate party is difficult and the consequences of mistakes are high. Retaliation often begets retaliation. The additional noise and confusion associated with trying to separate retaliation from the actual attack can create complications for organizations and law enforcement. Incorrect attribution can also lead to unintended damages to innocent parties.
Cybersecurity is esoteric and intangible to most people who don’t understand the OSI model, network packets, and RFCs created by the IETF (Internet Engineering Task Force). The average citizen or business owner just wants their web pages to work and their data to be safe. They don’t want any technical jargon or explanations that cause their eyes to glaze over. Hacking back against attackers and putting them out of commission may at first sound like a reasonable approach to eliminate the problem. But sometimes fixing one problem causes even bigger problems.
To explain why hacking back is dangerous – and the type of problems it may cause – let’s look at some analogies. Consider the following scenarios if we applied the idea of attribution and retaliation to the theft of physical belongings from an individual’s home.
If someone were to break into your house, should you be allowed to break into that person’s home in retaliation?
If theft-back becomes commonplace, you would not only have to worry about the real thieves in your neighborhood, but also the vigilantes protecting personal property that might inadvertently break into your house by mistake.
If you were allowed to retaliate to theft of your property, what should you be allowed to do?
Let’s say the thief stole some private documents you didn’t want anyone else to see. The thief distributed those documents to newspapers around the world. What form of retaliation should be allowed?
What if you incorrectly attributed theft to another individual and broke into their home by mistake?
Should you face criminal charges? Or could you argue it was an innocent mistake?
What if someone broke into your house by mistake?
Would you want the other person to be liable and go to jail? Would you want them to pay for damages?
Should you be allowed to hire someone else to break into the thief’s house?
If this third party took off with all the belongings in the other (incorrect) house, should you be liable for the theft carried out by the third party you hired?
What if someone broke into your house and you chased into another house and damaged that property in the process, but the thief was just passing through and didn’t own the house?
Should you pay for the harm done to the house you inadvertently damaged in the process? This analogy describes how proxies work. Cyber thieves break into other people’s computers and use them to do their dirty work. Attempting to hack back at an attack source may inadvertently cause damage to other innocent victims that didn’t realize their property was being used to carry out criminal activity.
Perhaps you are so skilled at theft that you would never make a mistake. Do you trust everyone else to be mistakes-free as well?
Perhaps you are the most advanced and skilled person in the world at determining who broke into your house and you would never assign blame to the wrong person. Perhaps you could retaliate perfectly and never make a mistake. But do you trust everyone else to be as skilled as you? Should they be allowed to take the same actions with no particular manner of determining their skill or level of qualification?
What happens when a real criminal is caught in your house, stealing your belongings, and claims the actions were retaliation as allowed by law?
Crimes that were formerly clear cut and would send someone to jail or cause them to pay money for damages just got more complicated. Law enforcement and the judicial system will have to spend more time figuring out which thieves are vigilantes and which are actual criminals.
Many security experts such as the head of the NSA have said that corporations should never be allowed to hack a group or individual in retaliation for getting hacked. In the case of international scenarios, he explains that this action could potentially escalate conflict and lead to war. In the SANS October 20 NewsBites email newsletter, security experts commented on some of the complications related to hacking back and attribution. Here are a few of the comments:
I believe the government’s fundamental responsibility is to protect its citizens; I believe the private sector can assist the government by sharing valuable intelligence that would allow the government to do just that. – Sean Henry
We already have a problem with rogue hackers excusing their behavior as ‘research.’ “The road to hell is paved with good intentions.” We all want to be judged by our motives while judging others by their behavior. – William Hugh Murray
I love the smell of cyberwar in the morning; that’s where I think this leads. Attribution is a very hard problem. – Stephen Northcutt
These analogies may help paint a picture of the problems. Although a group of coders hacked back to rescue $208 million in Ethereum, these actions should be carried out with the help and supervision of law enforcement, if and when carried out at all. Law enforcement exists for a reason. Security professionals can work with them to improve and target attackers to take appropriate actions, rather than create a situation where everyone’s network is even more at risk, and the already challenging job of security professionals becomes even harder.
