The Case Against Hack-BackExperts Calculate the Risks of Cyber-Retaliation
When JPMorgan Chase asked the FBI back in 2013 whether it could hack back against those who waged a distributed denial-of-service attack against the bank, federal authorities cautioned the financial services company against taking that step because it would be illegal, according to a recent news report.
But some security experts say, from a technical and policy standpoint, hacking back is always a bad idea because it could cause more problems.
Hack-backs would likely be ineffective, in part, because most victims of cyber-attacks would not be likely to correctly identify the hacker, says Adam Segal, Council on Foreign Relations digital and cyberspace policy program director. "Mistakes are bound to happen, and private actors will either damage third parties or cause inadvertent escalation," he says. "Truly determined attackers are unlikely to cease from current attacks or be deterred from future attack."
Jody Westby, CEO at Global Cyber Risk, a cyber-risk advisory firm, says an organization could find itself "playing cat and mouse with sophisticated cybercriminals" who would "up the stakes and launch more destructive attacks."
The hack-back approach to cyber-defense - widely debated a few years ago (see Legal Merits of Hack-Back Strategy and To Hack Back or Not?) - has resurfaced as a result of a Bloomberg News report last month. That report, quoting unnamed sources, said the FBI is investigating whether hackers working on behalf of any U.S. financial institution disabled servers that were used to wage DDoS attacks against the websites of major banks starting in 2012. The news service said JPMorgan Chase advocated such a move in a private meeting with the FBI in February 2013.
A private commission headed by former National Intelligence Director Dennis Blair and former American ambassador to China Jon Huntsman recommended in 2013 that the U.S. government support businesses that stage assaults on their assailants' computers to either recover or destroyed stolen intellectual property (see Panel: Use Hack-Back to Mitigate IP Theft).
"I'm sure it will make those who do it feel powerful," says information security technologist Bruce Schneier, the prolific author who often writes about the intersection of cyber and public policy. But he points out that organizations conducting hack-backs might unintentionally attack the wrong organization because attributing the original attack is difficult. For example, in the Sony Pictures breach, some cybersecurity experts disagree with the FBI's conclusion that North Korea was involved. "Attribution is hard and precise hacking is hard," says Schneier, chief technology officer at Co3 Systems, a provider of incident response products and services.
Knowing they could be subject to a retaliatory attack, hackers could strengthen their own cyberdefenses to protect the intellectual property they stole, says Martin Libicki, a cybersecurity expert at the think tank Rand Corp. They could encrypt stolen files or move them to another server. "The first hack-backers may succeed or think they succeeded (but) they have no way of knowing that the files haven't been already swept up into the hackers' networks," he says.
Global Cyber Risk's Westby says hacking back could pose diplomatic problems for the U.S. government. "Foreign governments will rightly complain to the U.S., and may even accuse the attacking companies of acting at the behest of the U.S. government," she says. "Employees of those companies residing in the complaining country may be arrested and held. Headlines are certain."
But it's not just the illegality that should deter companies from hacking back. Hack-back is a form of vigilante justice that raises moral questions, Schneier says, adding: "If you lynch the wrong guy, he ends up just as dead."