Few issues more divisive in the cybersecurity community than the idea that private firms should be allowed to digitally retaliate, but the concept has gained support after promises from the United States to become more aggressive online.
Support for the idea that businesses should be able to respond to cyberattacks, or “hack back,” has recently come from former government officials, experts and lawmakers who say it could be effective deterrent.
“It sure seems like the environment is getting a lot friendlier to hack back, considering the U.S. government has pledged to take more offensive actions in cyberspace,” said Bryson Bort, head of the cybersecurity firm Scythe. Bort said that firms like Microsoft have increasingly moved into a “grey space” where they try to deter hackers through attribution or shutting down botnets.
Most forms of hack back are banned in the U.S. because accessing computers without permission is illegal under the Computer Fraud and Abuse Act. Lawmakers have proposed amending the law, but bills have not gone forward in Congress.
It is not clear what the proposal would mean for businesses. It may be a boon for the industry, but may also lead to them being targeted more.
To be sure, there are many opponents of hacking back. It has been called “the worst idea in cybersecurity.” Opponents say that it is difficult to attribute cyberattacks and the practice would lead to digital vigilantism.
But the recent round of proposals have come as the U.S. government has pledged to become more aggressive in cyberspace. In August, President Donald Trump replaced the Obama era regulations that governed cyber operations with a more expansive set of rules.
“We are going to do a lot of things offensively. Our adversaries need to know that,” national security advisor John Bolton told reporters after the national cyber strategy was announced in Sept.
“What do you mean by hack-back? How about we just begin to work with active defense?,” Michael Hayden, former head of the NSA told Fifth Domain during an August interview. Hayden raised the example of a bank in Australia that he sits on the cyber board of.
“Might the Australian government, given how big and important this bank might be, want to give them a little more headroom than you might want to give to Fred and Ethel’s bank out in Alice Springs?”
The U.S. government should sponsor a special entity that could hack back on behalf of defense contractors, said David Scott Lewis, head of the cybersecurity risk management firm threatcasting.net. He suggested that the body should coordinate with the U.S. government and could act as a deterrent from foreign hackers.
Some see recent comments from Secretary of Defense Jim Mattis as a sign that he may be open to the hack back idea. Mattis predicted in a Sept. speech that the U.S. government will one day offer cyber protection to critical infrastructure services, and suggested that the service may one day extend to individuals.
Lewis told Fifth Domain he was “pleasantly surprised” by Mattis’ announcement.
There is some evidence to suggest that firms may already be hacking back in some form. In “The Perfect Weapon,” released June 19, New York Times national security correspondent David Sanger describes how the cybersecurity company Mandiant penetrated Chinese hackers by reaching “back through the network to activate the cameras on the hackers’ own laptops.”
FireEye, which now owns Mandiant, denied the claim.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.