Hacking back: is it a good idea?

Should the victims of hacking retaliate and hack back, and what are the issues involved?

Malicious hackers constantly attack our IT systems. Spiralling streams of malevolent code are sent down the highways, byways and intersections of the internet every day. This shouldn’t be news to anyone; we know this stuff by now. So should we be doing something about it?

Of course, we are doing everything we can with security organisations around the world monitoring threats and looking for network vulnerabilities all the time.

Let’s put the question another way: should we be doing something about the threat of malware in a more proactive way? Should we be stepping forward into the realm of the cybercriminals and taking them on at their own game? Should we hack back and attack the attackers on their own playing field?

Is hacking back an opportunity or a threat?

It’s a radical idea, but this is a time of extreme change in international relations and commerce, so perhaps it is opportune. There are many questions and dilemmas here. If we do hack back, will we open up new channels of connectivity to endanger those previously sealed off? Is hacking back self-regulating or should we involve the authorities? Does hacking back represent an opportunity or a threat?

The first challenge here is deciding where we go to war. Joseph Carson, chief security scientist at Thycotic, reminds us that many incidents are cross-border in nature and target multiple victims around the world in each attack.

This factor, combined with the ability for hackers to create spoof identities for themselves, makes attribution very difficult. Mr Carson argues that hacking back should only be performed by governments or law enforcement agencies. Further, it should only be done when, without doubt, the attribution is clear.

“If a private company starts hacking back they could easily be targeting another victim who is simply a proxy for the original attack, resulting in disastrous legal issues,” says Mr Carson. “What if a company decides to hack back and they accidently cause a death resulting from that action? Or they target their hack-back activity in the wrong country?”

cybersecurity dataset

Risk turning the cyber-universe into a modern wild west

It is the elusive nature of hackers that makes knowing where to fight the hardest part of hacking back. Adam Brown, security solutions manager at Synopsys, says usually an attacker is squatting on legitimate services and technology resources inside a law-abiding organisation.

“This reality makes the reactive hack-back attacker just another attacker, so therefore most likely to simply cause more damage. There is no sense in attacking the attackers with the same methods,” says Mr Brown.

There is no sense in attacking the attackers with the same methods

Richard Ford, chief scientist at Forcepoint, has been studying and pondering this issue for some time now. Dr Ford points to technical, legal and ethical quandaries thrown up, and says if we approach this subject carelessly, we stand a good chance of turning the cyber-universe into a modern-day wild west.

“The overall benefits of hacking back are questionable at best and even if it works today, you must remember that the attacker-defender relationship is co-evolutionary. That is, one responds and evolves based on input from the other. To that end, if hacking back worked briefly, in the long term I don’t see it as a viable solution,” he says.

In real-world terms, it is difficult to find any working technology practitioners who will admit to having carried out any hack-back procedures. Stephen Burke, founder and chief executive of Cyber Risk Aware, concedes to having considered the activity during his time working as a chief information security officer.

“After contemplating hacking back, I always very quickly came to the conclusion that we could not do it,” says Mr Burke. “Irrespective of all the legal and ethical considerations, it always comes down to the question of whether we could be absolutely sure of who attacked us? Irrefutable evidence, beyond reasonable doubt, is hard to come by here.”

Hacking back will never succeed in levelling the playing field

The inconvenient truth is that cybercriminals are highly anonymous and cover their tracks very carefully using encryption and international cross-border routes that are incredibly difficult to trace. They will often make the source of an attack look like it came from a specific part of the world, often for propaganda purposes, or even another company’s or country’s network, when it has in fact been used as a staging post, for example the suspicion that it was North Korea that attacked Sony Pictures.

“The other side of all of this is, if you do attack, what happens then? What if they attack back even harder than before? Are you prepared for this and the responsibility of having to explain your actions to all the stakeholders in the business? These are very big questions and no matter the answer, I could never get beyond reasonable doubt,” says Mr Burke.

There is very little consensus to suggest that hacking back should form any significant part of the next technology revolution. Artturi Lehtiö, service technology lead for cybersecurity consulting at F-Secure, points out that this isn’t a question of offence versus defence. Cybercriminals focus 100 per cent on attacking targets, while companies focus on business and, where possible, cybersecurity protection.

Hacking back won’t change this fundamental asymmetry and we need to recognise that the playing field is uneven. This is not football, not during the World Cup, not ever.