Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of “hacking back” opens up a wide range of cyber defense tools to IT and security managers. These tools could empower them to repel invaders with honeypots and other, more-active measures.

Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

Hacking Back: Shall We Play?

The practice of hacking back isn’t new: The 1983 movie “War Games” inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization. Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan that were running the Operation Aurora attacks, as documented in this report from George Washington University.

Moreover, a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, Florida, The New Yorker recently reported. The researcher took Lockheed Martin to court and sued for damages — and won the suit.

The Problem With Attribution

“Attribution is a very elusive target to achieve, so your error ratio can be quite high,” said Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he stressed, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes. And while attribution technologies are getting better at identifying sources of attacks, they are still far from perfect.

Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins — or deliberately misleading researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.

A Question of Intent

Is the defendant guilty of murder or manslaughter? It’s not always easy to determine whether a cyberattack had malicious aim behind it. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration. So, it is important to determine this before any hacking back is permitted.

There is a similar assessment of intent for defenders too: Are they trying to get their data back? Are they trying to monitor what the attacker is doing? Are they trying to cause harm to their attacker — or destroy the illegal use of proprietary technology?

Governor Nathan Deal just vetoed Georgia Senate Bill 315, the Electronic Frontier Foundation reported. The bill would have created a new crime of unauthorized access to a network but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution just for entering a client’s network.

Canada is considering allowing hacking back in its Communications Security Establishment under Bill C-59. That bill is still working its way through Parliament, according to Global News.

Prosecuting Cybercriminals

Even without these new laws, there are legal steps that a government entity can take to prosecute hackers. But here’s the rub: Most of these agencies lack the skills or staffing to pursue cyber counter-measures. In many government agencies, there are numerous job vacancies for security analysts — so they are often not centers of excellence when it comes to hacking back efforts.

One way is for government to cooperate with private industry, which is what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers — and worked with insurers to help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to a 2017 report from the Carnegie Endowment.

We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, hacking back could become a regular weapon for IT and security managers.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today