Let’s not mince words: Cyberattacks suck. Whether criminals are hacking our passwords, or Anonymous is simply making a statement, the disruptions and data breaches exact a heavy toll in terms of time, money, and security. For example, after the Associated Press Twitter account was hacked and bogus news was posted about an attack on the White House, the U.S. stock market took a nosedive.
The often dire consequences of cyberattacks have the attention of the highest levels of government. Just yesterday, U.S. senators called on the Obama Administration to pursue sanctions against countries believed to be active in cyberattacks. Cybersecurity is one of the issues Secretary of State John Kerry will discuss when he visits Japan this month.
All this talk is great, but back in the here and now, the situation is tough. When cyberattacks occur—and they will—there’s little you can do except control the damage. Unless you hack back, that is.
Digital revenge is sweet—and illegal
Loosely defined, “hacking back” involves turning the tables on a cyberhacking assailant: thwarting or stopping the crime, or perhaps even trying to steal back what was taken. How that digital revenge is wreaked, and whether any of it is legal, are issues being actively debated right now—to the extent that anyone wants to talk about it, let alone admit to trying it. But there’s one thing security experts can agree on: Hack-backs are a tempting response to a frustrating situation.
Let’s talk about the illegal part first. Even if we skip the obvious moral issues around vigilante justice, hacking back quickly runs afoul of the Computer Fraud and Abuse Act. This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal.
“There is no law that actually allows you to engage in an attack,” says Ray Aghaian, a partner with McKenna Long & Aldridge, and a former attorney with the Department of Justice’s Cyber & Intellectual Property Crimes Section.“If you attack an attacker, you’re in the same boat,” he says.
The only kind of hacking back that’s considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.
Counterintelligence as a service
Even if companies can’t hack back, they can learn more about their assailants. Eric Ahlm, a Security Research Director with Gartner, sees a burgeoning business in gathering information about cybercriminals. “The world of counterintelligence as a service is certainly growing,” says Ahlm.
According to Ahlm, the companies tracking the bad guys collect vast amounts of data on Internet activity and can hone in on specific “actors” who engage in criminal activity. “Without touching or hacking the individual, they can tell you how trustworthy they are, where they are, what kind of systems they use,” says Ahlm. “They could link a device to an identity.”
While private companies cannot take offensive action with any such intelligence, they can use it defensively to thwart suspicious actors if they’re found to be sniffing around company data. “Based off your intelligence of who’s touching you,” says Ahlm, “you can selectively disconnect them or greatly slow them down from network access.” The simple act of slowing down access may be enough to motivate some hackers to look elsewhere.
Fighting back has its risks
Slowdown tactics are routine for CloudFlare, a company that supports websites with performance optimization, security, and other technologies.“In the grand scheme of fight-back tricks, this is one that causes relatively little harm but does a lot of good,” says Matthew Prince, co-founder and CEO. “If we are tying up a bad guy’s resources, they have less time to attack the good guys.”
While cybersecurity is an integral part of CloudFlare’s business, Prince cautions that any interaction with attackers carries risk. “Some people out there are real criminals. They have a way of fighting back,” he says.
Prince cites the example of Blue Security as a cautionary tale. This company drew raves—as well as criticism—for creating a way to spam back at spammers, clogging their systems and preventing them from sending out more spam. But the spammers fought back, unleashing attacks on Blue Security that caused collateral damage on the Internet. The company eventually closed down operations. “You can easily get in over your head,” says Prince.
Hacking back may never be legal
Now that data represents the biggest asset of many companies, the desire to protect that data intensifies and makes offensive measures seem almost a business imperative. Could some form of legal justification be far behind? If hack-backs were ever legalized, Aghaian says, “there needs to be proportionality.” In other words, the hack-back can’t be worse than the original hack.The complexity of determining proportionality, however, is one of many reasons why hacking back may never surmount its significant moral, legal, and practical issues.
Hacking back can also have unintended consequences, such as damaging hijacked computers belonging to otherwise innocent individuals, while real criminals remain hidden several layers back on the Internet. If you hack back and hurt someone else instead, “you have to be willing to bear the consequences and pay for the damages,” says Aghaian.
The more prudent approach, says Aghaian, is to focus resources on protecting your data—and prioritizing which data gets the most protection. “Isolate and identify your crown jewels,” says Aghaian, “Your chances of protecting that are far better than trying to protect everything.”
No matter how frustrating it can be to fend off cyberattacks, the risks of fighting back are significant. You have to identify the perpetrator. You have to figure out the best way to hack back. Wherther or not the hack works, you could face retaliation. While the idea of hacking back is deeply satisfying, its risks remain greater than the potential reward.