Government officials and experts are weighing in on the concept of ‘hacking back’, the practice of potentially allowing U.S. companies to track down cyber attackers and retaliate.
Former head of the CIA and NSA outlined his thoughts to the Fifth Domain on the Hack Back issue currently being debated by Congress. He is cautious but has expressed an openness to allowing some levels of retaliation by private organizations.
General Hayden is a very sharp and brings unprecedented national intelligence experience to the table, but I must disagree with his position on the risks of enabling businesses to ‘hack back’.
I have had the pleasure of an in-depth 1:1 discussion with him regarding the long-term nation-state threats to the digital domain and have always been impressed with his insights. However, this is a different beast altogether.
Allowing U.S. companies latitude to hack-back against cyber attackers is very dangerous. I believe he is underestimating the unpredictable nature of business management when they find themselves under attack. Unlike U.S. government agencies, which firmly align themselves to explicit guidance from the Executive branch, the guard-rails for businesses is highly variable and can be erratic. Decisions can be made quickly, driven by heated emotion.
The average American business does not understand the principles of active defense, proportional damage, or have insights to establish and operate within specific rules of engagement. They certainly don’t have the capacity to determine proper attribution, gather necessary adversarial intelligence, or even understand the potential collateral damage of weapons they may use.
Instead, we can expect rash and likely volatile responses that lash out at perceived attackers. Unfortunately, cyber adversaries will quickly seize on this behavior and make their attacks appear as if they are coming from someone else. It will become a new sport for miscreants, anarchists, social radicals, and nation states to manipulate their targets into hacking-back innocent parties. As the meme goes, "On the Internet, nobody knows you're a dog".
What happens when threats impersonate hospitals, critical infrastructure, or other sensitive organizations when they attack. The hack-back response may cause unthinkable and unnecessary damage.
Congress is also considering allowing companies to ‘hack back’. Senator Sheldon Whitehouse recently indicated he is considering a proposal to allow companies to "hack back" at digital attackers.
I think the whole "hack back" movement is entirely misguided.
Many compare it to 'stand your ground' situations, as they try to convince others to join public support. But such verbal imagery it is just not applicable. A better analogy is saying if someone breaks into your house, you should have the right to break into their home or whomever you think did it (because you really won't know). Most would agree it is not a good idea when framed that way.
Now consider whom you will be empowering to make such decisions. Businesses who were not able or responsible enough to manage the defense of their environment in the first place, will be given authority to attack back. Yet, it is unlikely they will truly understand where the actual attack is originating. They will be acting out of rage, fear, and with weapons they have no concept of potential collateral and cascading damage it may cause.
Every time I have heard an executive wanting to be able to 'hack back', it was someone who as not savvy in the nuances of cybersecurity and lacked the understanding of how incredibly easy it is to make an innocent 3rd party look like they are the ones conducting an attack. When I brought up the fact it is easy to make it appear like someone else was behind the strike, such as a competitor, government agency, or hospital, the tone radically changed. Attribution for cyberattacks can take experts months or even years. Businesses have neither the expertise nor the patience to wait, when they want to enact revenge.
If allowed, hacking back will become a new sport for miscreants, anarchists, social radicals, and nation states to manipulate their adversaries into making such blunders or be hacked-back by others who were fooled into thinking they were the source.
Allowing companies to Hack Back will not deter cyberattacks, rather it will become the new weapon for threats to wield against their victims.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.