Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of “hacking back” opens up a wide range of cyber defense tools to IT and security managers. These tools could empower them to repel invaders with honeypots and other, more-active measures.
Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.
Hacking Back: Shall We Play?
The practice of hacking back isn’t new: The 1983 movie “War Games” inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization. Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan that were running the Operation Aurora attacks, as documented in this report from George Washington University.
Moreover, a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, Florida, The New Yorker recently reported. The researcher took Lockheed Martin to court and sued for damages — and won the suit.
The Problem With Attribution
“Attribution is a very elusive target to achieve, so your error ratio can be quite high,” said Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he stressed, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes. And while attribution technologies are getting better at identifying sources of attacks, they are still far from perfect.
Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins — or deliberately misleading researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.
A Question of Intent
Is the defendant guilty of murder or manslaughter? It’s not always easy to determine whether a cyberattack had malicious aim behind it. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration. So, it is important to determine this before any hacking back is permitted.
There is a similar assessment of intent for defenders too: Are they trying to get their data back? Are they trying to monitor what the attacker is doing? Are they trying to cause harm to their attacker — or destroy the illegal use of proprietary technology?
Governor Nathan Deal just vetoed Georgia Senate Bill 315, the Electronic Frontier Foundation reported. The bill would have created a new crime of unauthorized access to a network but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution just for entering a client’s network.
Canada is considering allowing hacking back in its Communications Security Establishment under Bill C-59. That bill is still working its way through Parliament, according to Global News.
Even without these new laws, there are legal steps that a government entity can take to prosecute hackers. But here’s the rub: Most of these agencies lack the skills or staffing to pursue cyber counter-measures. In many government agencies, there are numerous job vacancies for security analysts — so they are often not centers of excellence when it comes to hacking back efforts.
One way is for government to cooperate with private industry, which is what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers — and worked with insurers to help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to a 2017 report from the Carnegie Endowment.
We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, hacking back could become a regular weapon for IT and security managers.