"The real world isn't like the online world."
See Also: Secure Access in a Hybrid IT World
This simple sentence - written by Mikko Hypponen in the forward of Christopher E. Elisan's recently published book, Malware, Rootkits & Botnets: A Beginners Guide (McGraw-Hill) - contains a powerful message: Legislators need to be mindful of when they listen to the increasing voices in the cybersecurity community espousing the idea that American corporations and, presumably everyday citizens, should be allowed to "hack back" at the nameless and faceless scum of the earth who disable our networks, attack our computer systems, pilfer our sensitive data (including holding it for ransom) and destroy our credit rating.
The idea has certain emotional appeal. There are more than a few nation-state actors, cybercriminals and hacktivist whom I would like nothing more to do than to expose or even deny service to their botnet command and control servers. After all, if you don't return the punch of the playground bully, you're just inviting more abuse.
On second-thought, how would I know how to identify the guilty party? Even if I could positively identify the person and snap a picture via the computer's locally attached camera, what would I do next? What authority would I turn him in to? Would I be breaking any laws in his country? And, after the buzz of a successful cyber counterattack wore off, what would happen next? Is there a role for playground justice in cyberspace?
Playground Justice Doesn't Apply
No, the online world is completely different from the world we experience with our senses. Playground justice just doesn't apply. Existing computer technology lacks the sophistication and assurance necessary to unconditionally attribute computer activity to a specific actor. Even the image I capture via his camera could actually be redirected by a modified input/output driver across the Internet to the camera of an innocent teenager in Tennessee.
Consider the lengths our Defense Department and intelligence community must go through, with good reason, to validate the identity of a terrorist before even considering a kinetic response. Of course, once the terrorist is identified, the next question is how do we make sure we minimize collateral damage? Allowing our citizens and corporations the legal freedom to hack back in the online world, where attribution is never assured and you might end up attacking your own, or worse, your competition's network, is a recipe for disaster.
Some tell me that when they say hack back, they really mean that they only want to publicly expose the bad actors. "Bring the cyber mildew out into the sunshine," is how one proponent describes it. I'm not sure how one publicly exposes the Chinese People's Liberation Army any more than they have already been revealed. Iran also doesn't seem to be too worried. As for Russian, Eastern European and other criminal cyber gangs, they already know how to hide and misdirect attribution and forensic tools. These criminal cyber gangs are in this business for one reason: money. Their response may be more kinetic then quid pro quo hack for hack.
In addition to the hack backers getting it wrong, the next question is where does this all lead? The notion that hacking back or even exposing the cyber scum will reduce the threat of global hacking is foolhardy. In a kinetic war, organizations need a reasonable amount of soldiers with weapons and some degree of organization to become a player. In the online world, that teenager from Tennessee can anonymously become a soldier in the battle with one devastating distributed denial of service toolkit, without ever leaving his bedroom. In a world without borders or international laws and rules, cyber skirmishes can become cyberwars in nanoseconds. Once out of control, I have no idea how anyone could put the toothpaste back in the tube.
When the Irrational Sounds Appealing
Even if our legislators somehow allowed some degree of hack back, who would and wouldn't be authorized to conduct these private cyber feuds? While I know some very responsible and savvy white-hat hackers, there are also a large number of cyber snake-oil salesmen that can convince a stung CEO that they can "make the problem go away."
The federal government should take defensive and offensive cyber measures to preempt attacks on our country's critical infrastructure. However, the notion of allowing private interests and citizens to possess similar legal protection is fraught with danger. The fact that this dialogue even exist results from a growing frustration among our citizens that using the Internet feels like walking down a dark alley in an unfamiliar city. Everyone recognizes that the problem is getting worse and as Congress and the Obama administration continue to fail on the legislative front, the irrational begins to sound more appealing.
Let's channel this energy into pursuing international agreements and cooperative efforts to better identify the cyber scum and use existing legislative bodies such as the International Telecommunications Union to require service providers to deny access to those who use the Internet for criminal activity.
It's time for the American government to get serious about building more secure systems and safer software that improves our ability to resist hacking and more easily identifies hacking actors and activities.
Robert Bigman, who retired last spring after serving for 15 years as chief information security officer of the Central Intelligence Agency, is chief executive officer of 2BSecure LLC.