It’s an ongoing battle; every year or two, there is a new policy proposal to authorize private-sector hack back and 2021 is no exception. The concept of allowing private sector entities to take cyber action against their attackers has one again been raised, this time in a bill from U.S. Senators Steve Daines and Sheldon Whitehouse.
Private sector “hack back” means non-government organizations taking intrusive action against a cyber attacker on technical assets or systems not owned or leased by the person taking action or their client. Essentially, this new bill would direct the Department of Homeland Security (DHS) to study the risks and benefits of allowing private organizations to respond in kind to cyberattacks, which is generally illegal in countries that have anti-hacking laws.
While the appeal of taking action against an attacker is easy to see, private sector hack back is a very bad idea. We encourage organizations to employ active defense techniques, but limit these to assets you own or operate. Hack back raises a number of concerns, as detailed below.
Attribution is nearly impossible
In most cases, it’s extremely difficult to be certain that attacks are being correctly attributed, as attackers can use deliberately deceptive techniques to divert blame elsewhere. Smart attackers will look for ways to stay ahead of defenders and law enforcement and indicators of an attacker’s identity can be spoofed or misdirected.
Things get even trickier when introducing botnets: if someone is under attack from devices being controlled as part of a botnet, those devices – and their owners – are as much victims as the target is. Taking action on or against these technical assets is revictimizing other victims of the attacker.
Legitimate research could accidentally trigger an unnecessary hack back
In the security world, researchers have proven to be one of the industry’s most valuable assets. For example, research projects that scan ports on the public-facing internet help others understand the attack surface and reduce exposure and opportunities for attackers. However, it’s not unusual for those scans to encounter a perimeter monitoring tool, throwing up an alert to the security team. If an organization saw the alerts and, in their urgency to defend themselves, took a “shoot first, ask questions later” approach, they could end up attacking the researcher.
It's too easy to cause collateral damage
Think of it like this: People sometimes liken hack back to scenarios with homeowners who defend themselves against trespassers who threaten their well-being. In such a situation, it may be considered reasonable to arm oneself and stand bravely in defense.
While it’s an appealing idea, the reality of this situation in the cyber domain is more akin to standing by the fence and spraying bullets out into the street, hoping to get lucky and stop an attacker as they flee the scene of the crime. With such an approach, even if one does manage to reach the attacker, the shooter is also risking terrible collateral damage.
It must be understood that the internet does not operate within neat boundaries; it is messy, interconnected, and complex. Data is everywhere, cyberattacks happen all the time, and damage to all sorts of equipment and systems is inevitable. It is important for organizations to know that even if they believe they can avoid all negative outcomes in most of these types of cases; just one small error could have a far-reaching impact and be extremely costly.
There is no clear path to oversight
The path to oversight is blurry, with non-specific plans of how it could be managed to make it practical and minimize the potential for risks and abuses. At this current moment, there are a lot of questions around a potential framework and system, including:
- What are the administrative requirements, who would manage oversight and how would it be funded?
- Who will determine which activities are acceptable and where the line should be drawn?
- What evidentiary standards would be set and who would ensure that standards are appropriately met?
- How would an authorizing agent ensure standards are met and maintained within approved organizations?
Without some sort of framework, the government is essentially authorizing the private sector to participate in these activities without any kind of oversight, likely leading to unintended harms and legal concerns.
The legal ramifications are a recipe for disaster
These issues of practical execution also raise questions around who will bear the responsibility and liability if something goes wrong. In an incident where a company accidently harms another person or organization during a hack back, it will most likely result in expensive legal proceedings, reputational damage, and loss of trust.
Making organizations exempt from legal action around unintended consequences would be problematic and likely to result in more recklessness, as well as infringing on the rights of the victim organization. While the internet is a borderless space accessed from every country in the world, each of those countries has its own legal system and expects its citizens to abide by it. It would be very risky for companies and individuals who hack back to avoid running afoul of the laws of other countries or international bodies.
When national governments take this kind of action, it tends to occur within existing international legal frameworks and under some regulatory oversight, but this may not apply in the private sector, again begging the question of where the liability rests.
It’s also worth noting, once one major power is seen authorizing private-sector hack back, other governments will likely follow, and legal expectations or boundaries may vary. This raises questions of how governments will respond when their citizens are being attacked as part of a private-sector hack back gone wrong and whether it will likely lead to an escalation of political tensions.
What happens next?
Rather than authorizing a measure as fraught with risk as hack back, one should instead be thinking about how to better protect these vulnerable organizations — for example, by subsidizing or incentivizing security hygiene. End-user organizations should not be alone in this – technology providers should also be expected to play their part in creating a less vulnerable and exploitable ecosystem. Beyond that, when it comes to taking the fight back to the attackers, recent developments to create greater public-private partnerships for proactive action to deter and disrupt attackers are a better path forward as they are organized and executed under appropriate government oversight and evidentiary standards, with the resources and might of governments to back them up.