Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of “hacking back” opens up a wide range of cyber defense tools to IT and security managers. These tools could empower them to repel invaders with honeypots and other, more-active measures.

Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

Hacking Back: Shall We Play?

The practice of hacking back isn’t new: The 1983 movie “War Games” inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization. Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan that were running the Operation Aurora attacks, as documented in this report from George Washington University.

Moreover, a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, Florida, The New Yorker recently reported. The researcher took Lockheed Martin to court and sued for damages — and won the suit.

The Problem With Attribution

“Attribution is a very elusive target to achieve, so your error ratio can be quite high,” said Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he stressed, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes. And while attribution technologies are getting better at identifying sources of attacks, they are still far from perfect.

Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins — or deliberately misleading researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.

A Question of Intent

Is the defendant guilty of murder or manslaughter? It’s not always easy to determine whether a cyberattack had malicious aim behind it. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration. So, it is important to determine this before any hacking back is permitted.

There is a similar assessment of intent for defenders too: Are they trying to get their data back? Are they trying to monitor what the attacker is doing? Are they trying to cause harm to their attacker — or destroy the illegal use of proprietary technology?

Governor Nathan Deal just vetoed Georgia Senate Bill 315, the Electronic Frontier Foundation reported. The bill would have created a new crime of unauthorized access to a network but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution just for entering a client’s network.

Canada is considering allowing hacking back in its Communications Security Establishment under Bill C-59. That bill is still working its way through Parliament, according to Global News.

Prosecuting Cybercriminals

Even without these new laws, there are legal steps that a government entity can take to prosecute hackers. But here’s the rub: Most of these agencies lack the skills or staffing to pursue cyber counter-measures. In many government agencies, there are numerous job vacancies for security analysts — so they are often not centers of excellence when it comes to hacking back efforts.

One way is for government to cooperate with private industry, which is what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers — and worked with insurers to help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to a 2017 report from the Carnegie Endowment.

We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, hacking back could become a regular weapon for IT and security managers.

More from Government

NIST’s security transformation: How to keep up

4 min read - One thing that came out of the pandemic years was a stronger push toward an organization-wide digital transformation. Working remotely forced companies to integrate digital technologies, ranging from cloud computing services to AI/ML, across business operations to allow workers to keep up high production and efficiency standards. Now that businesses and consumers have adjusted to the new normal of digital transformation, it is time to develop a security transformation strategy. Coping with the speed of change A constantly evolving tech…

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today