Since the Active Cyber Defense Certainty Act was introduced to the U.S. House of Representatives at the end of 2017, people in the tech industry have been forming some very strong opinions. The contentious concept of “hacking back” opens up a wide range of cyber defense tools to IT and security managers. These tools could empower them to repel invaders with honeypots and other, more-active measures.

Lawmakers have taken a recent interest in creating new rules that allow for more flexibility with these activities, which are illegal in most places. Currently, a private company has no legal right to defend itself against a cyberattack.

Hacking Back: Shall We Play?

The practice of hacking back isn’t new: The 1983 movie “War Games” inspired the Computer Fraud and Abuse Act of 1986, which prohibits anyone from knowingly accessing a computer without proper authorization. Google made questionably legal use of discovery technologies back in 2009 to find the command and control servers in Taiwan that were running the Operation Aurora attacks, as documented in this report from George Washington University.

Moreover, a security researcher was fired from his job after doing some hacking back to investigate a 2003 Lockheed Martin breach in Orlando, Florida, The New Yorker recently reported. The researcher took Lockheed Martin to court and sued for damages — and won the suit.

The Problem With Attribution

“Attribution is a very elusive target to achieve, so your error ratio can be quite high,” said Dudu Mimran, chief technology officer at Telekom Innovation Laboratories in Israel. Timeliness matters, he stressed, especially if you can analyze an attack in progress and connect the dots. The more time that lapses after an attack, the harder the attribution process becomes. And while attribution technologies are getting better at identifying sources of attacks, they are still far from perfect.

Attribution is also very much a cat-and-mouse game, as attackers get more adept at hiding their origins — or deliberately misleading researchers by including someone else’s code to throw them off the trail. Many hackers also employ obfuscation technologies so their malware can persist longer in corporate networks to do more damage.

A Question of Intent

Is the defendant guilty of murder or manslaughter? It’s not always easy to determine whether a cyberattack had malicious aim behind it. For attackers, their intent could range from deliberate criminal action to a mistake in network configuration. So, it is important to determine this before any hacking back is permitted.

There is a similar assessment of intent for defenders too: Are they trying to get their data back? Are they trying to monitor what the attacker is doing? Are they trying to cause harm to their attacker — or destroy the illegal use of proprietary technology?

Governor Nathan Deal just vetoed Georgia Senate Bill 315, the Electronic Frontier Foundation reported. The bill would have created a new crime of unauthorized access to a network but didn’t include any definition of criminal intent. If enacted without any changes, it could have meant that security researchers would be liable for prosecution just for entering a client’s network.

Canada is considering allowing hacking back in its Communications Security Establishment under Bill C-59. That bill is still working its way through Parliament, according to Global News.

Prosecuting Cybercriminals

Even without these new laws, there are legal steps that a government entity can take to prosecute hackers. But here’s the rub: Most of these agencies lack the skills or staffing to pursue cyber counter-measures. In many government agencies, there are numerous job vacancies for security analysts — so they are often not centers of excellence when it comes to hacking back efforts.

One way is for government to cooperate with private industry, which is what happened when it came time to try to stem the tide of Somali pirates. The government eventually accepted the use of private security services by the commercial shippers — and worked with insurers to help to provide a solution to stop the numerous raids of ocean cargo in that part of the world. This public-private cooperation has the side benefit of being able to help improve attribution, according to a 2017 report from the Carnegie Endowment.

We still have a lot of work to do before hacking back is both a legal and an acceptable response to a data breach or cyberattack. But as technologies get better at figuring out attribution and in proving the intent of both parties, hacking back could become a regular weapon for IT and security managers.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…