When Companies Hack Back

Picture this: You're the Chief Technology Officer of a Fortune 500 Company whose stock price is on the rise. One morning you open an email from the tech guru on your staff with the subject line: "URGENT: WE'VE BEEN HACKED." All of your company's emails have been stolen and you have no idea the extent of the damaging and sensitive information now out there in the hands of hackers.

While you're contemplating your next move, your staff makes a suggestion: hack back. This plan benefits: you may find the culprit and retrieve your pilfered information. But it has risks too: hacking back could be illegal, could paint a target on your back for other hackers to come and get you, or could lead to an escalation of what was a relatively benign conflict.

So what do you do?

The dilemma above, as dramatic as it sounds, could soon be a common one for corporate executives. So we asked members of New America's Cybersecurity Initiative:

Should companies be able to retaliate against cyber thieves by hacking back?

Jason Hong, Associate Professor at Central Michigan State University - Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party.

Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages.

Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment.

Lastly, in the unlikely case that a company could pinpoint who the attackers are and guarantee a precise counterattack, it is worth pointing out that some cyber thieves are state sponsored. As such, hacking back could spark an unwanted international incident.

A better alternative is to consider softer countermeasures that can slow down thieves and help law enforcement. For example, some banks feed fake data into phishing web sites, to make it easier to trace criminal activities. Many companies also run honeypots, which are servers that, when hacked, contain fake content and a great deal of monitoring software. This kind of approach makes it easier to identify attackers and their strategies, and potentially deter thieves as well.

Heather Roff, Visiting Professor at the Josef Korbel School of International Studies

We ought to prohibit private entities from retributive cyber measures. I have written elsewhere (here and here) about the historical precedents of allowing individuals to enforce their own rights, and how this breeds chaos. There are a host of reasons why this is so, and many have to do with the fact that there is no threshold-test for the level of certainty required to enforce rights, particularly in cyberspace. 

 Nevertheless, if one had perfect certainty, there still remains a question of proportionality. Proportionality is calculated by taking into consideration harm to one’s attacker and collateral harm and balancing this against the threat or harm done to oneself. Thus we must first know be able to quantify the harm done to us and our systems, that by my use of that harm I will succeed in defending, deterring, or punishing my attacker, and that there is some metric for all cyber harms. Second, collateral harm proscribes what one may do in the course of defending one’s rights. For instance, if the only way I can defend myself is by shooting all of the bystanders near me, this amount of harm is too great to permit me defending in this way (or at all). 

Cyber harm is difficult precisely because we cannot adequately foresee that the harm one imposes will stay on the networks or contained to the networks of one’s attacker. In the case it doesn’t, then the person who unleashed it becomes an attacker and is open to defensive responses.

Dan Ward, Author of The Simplicity Cycle: A Field Guide To Making Things Better Without Making Them Worse

+

The anonymous nature of many cyber criminals and difficulty of authentication makes hacking back problematic. Who exactly would a company "hack back" against, and what exactly would this offensive cyber action entail?

Despite these uncertainties, I'm inclined to say yes. Just as some companies are allowed to employ armed security officers, who operate under specific guidelines, companies should be allowed to employ "armed" cybersecurity officers, once they establish reasonable rules of engagement. Among these rules should be a requirement to inform the appropriate government authorities of any offensive action taken.

Rob Morgus, Program Associate with New America's Cybersecurity Initiative and International Security Program

Why?

Currently, a substantial chunk of the “hacking back” debate revolves around the moral and ethical dilemmas posed by companies acting as cyber-vigilantes in the cyber-wild west (if that sentence doesn’t make you cringe, I don’t know what will). Instead of asking whether hacking back is right, we should be asking ourselves: why do companies want to, and is it a practical means to achieving their ends? This leads to two important, related considerations.

First and foremost, does the company in question possess the necessary intelligence and technical capacity to design a surgical intrusion, or is there potential for undue collateral damage?

Let’s assume for a moment that it is technically feasible and some companies do have the technical expertise and necessary intelligence to tailor a surgical counterstrike without impacting systems other than their adversary. What, then, is the company hacking back hoping to achieve, and is hacking back the most efficient way of achieving the goal? Petty tit for tat attacks with no practical purpose other than an eye for an eye should be discouraged. But what of scenarios involving the theft of sensitive data? If the victim of the attack has the ability to responsibly “return fire” thereby destroying or corrupting the stolen data or the system upon which the data was stored before the initial theft achieves its practical purposes, it should be the victim’s purgative.

In the end, the threat that companies could hack back may prove to dissuade potential attackers. However, if we are to permit it, rules need to clearly dictate that any hack back must be excruciatingly surgical in nature and to achieve practical ends (very strictly defined).

Dave Weinstein, Cybersecurity Advisor for the State of New Jersey

In the absence of more definition, responsible policymakers are compelled to answer in the negative. Introducing private companies into an already ungoverned domain increases the geopolitical risk of collateral damage and misattribution to prohibitive levels. Strategically, these risks could lead to military escalation, diplomatic blowback, and market incentives that deter the adoption of best practices.

Perhaps the more interesting question, however, relates to whether nation-states’ traditional monopoly on the use of force even applies to cyberspace. After all, this age-old privilege is derived from a country’s legitimate ability to defend against force projection in sea, air, and land. In cyberspace, though, nation-states are largely powerless absent the private sector’s help. In some cases, a company’s ability to project cyber force may even exceed that of the government.

“Hacking back,” therefore, should be about defining the private sector’s role now that nation-states have, by all accounts, forfeited their monopoly on the use of force in cyberspace. Instead of dismissing this question outright, policymakers should explore “hacking back” in the context of public-private cyber deterrence. If properly governed, for example, the U.S. government could harness American companies’ technical resources, operational flexibility, and cyber intelligence to establish a credible threat of retaliation against America’s digital foes.

Before the private sector can play a constructive role, however, we must first establish thresholds for what warrants a response in cyberspace. Only after such norms exist can we debate who should be allowed to strike back.

Drew Herrick, Nonresident Fellow at New America 

Do companies and individuals hack back? Yes. 

Will companies and individuals continue to hack back in the future? Yes. 

However, whether companies and individuals should be allowed to hack back is a less obvious question. The line between defending a victim’s own network and compromising a third-party or attacker’s network is blurring. Depending on the scope and type of network intrusion it may be difficult to limit damage or counter a theft without using some offensive techniques. 

 Unfortunately, most companies do not have the requisite resources and skill to (1) fully diagnose and attribute the intrusion, (2) mount a sufficiently targeted response that does not escalate the situation or compromise innocent third-parties, and/or (3) absorb attacker counter-responses. Overall, there is a definite need for law enforcement or accredited third-parties to pick up the slack but companies themselves hacking back is counterproductive and dangerous."

Adam Elkus, Ph.D. student in computational social science at George Mason University

There is an a priori assumption here that hacking back benefits a company as a first response to whatever dastardly deeds are being done to it. Is that assumption really justified? Before a principal at a company considers the ethical and more narrowly self-interested questions of cost/benefit of hackback, they ought to first determine that focusing their energies on such an operation is meaningful and useful to them in the first place. So you've been "pwned." What benefits do you gain from hacking back vs. other alternative courses of action?