The 2016 Republican Party platform contains a proposal that’s making many people in the tech sector and elsewhere uneasy, if not downright nervous.
Under a section titled “Facing 21st Century Threats: Cybersecurity in an Insecure World,” it suggests how the United States should retaliate against cyberattacks from China, Russia and other hostile actors.
“Our response should be to cause diplomatic, financial, and legal pain,” the section reads in part. “We will explore the possibility of a free market for Cyber-Insurance and make clear that users have a self-defense right to deal with hackers as they see fit.”
This is language that suggests hacking the hackers.
The potential consequences
While the notion of hoisting cybercriminals upon their own petard is undeniably appealing, experts in the fields of security and technology told CNBC that “hacking back” is little more than a pipe dream, as attributing a cyberattack to an exact origin is extremely difficult at best. Worse yet, it carries with it potentially dangerous consequences both at home and abroad.
“A policy of hack-back would allow the DNC or any private firm to take unilateral actions against Russian intelligence, possibly starting a cyberwar,” said Anup Ghosh, founder and CEO of the security software company Invincea.
“The only thing we know for certain is what we don’t know: who is behind the attacks provable in a court of law,” he said.
“Attribution is nearly impossible to do perfectly, so the most likely implications would be retribution targeted against innocent third parties, whose machines were simply used as launch points without the knowledge of the owners,” said Chris Finan, former White House cybersecurity director and CEO and co-founder of Manifold Technology.
“But equally important to consider would be potential violations of sovereignty that could be interpreted as acts of national aggression and could even prompt retaliatory measures against the country,” said Finan.
The experts with whom CNBC spoke all had problems with the phrase “users have a self-defense right to deal with hackers as they see fit.” Apart from simply being vague, it also appears to imply that victims of cybercriminals should have the right to mete out justice to the perpetrators, no matter how draconian.
“This seems to imply that people can do whatever they want to cybercriminals,” said Chris Webber, security strategist at the cloud-based identity management firm Centrify. “The ‘as they see fit’ part raises this statement from typical rhetoric to dangerous propaganda… Since the statement is so poorly qualified, it seems any law can be disregarded when dealing with hackers. It’s like saying anyone who steals your shoes can be beaten to death in the streets.”
Webber wasn’t fully dismissive of the platform’s proposal, noting that cyber-insurance is an idea whose time may have arrived. He also conceded that the cybersecurity industry could be doing more to develop better technologies that prevent future attacks.
“[It] seems to imply that people can do whatever they want to cybercriminals. It’s like saying anyone who steals your shoes can be beaten to death in the streets.”
-Chris Webber, security strategist at Centrify
Nonetheless, attribution remains the primary obstacle to holding hackers accountable. James Carder, chief information security officer of the security intelligence company LogRhythm and vice president of the LogRhythm Labs division, said that victims who hack back might find themselves inadvertently striking back against innocent parties.
“An inability to accurately identify a hacker essentially leads to blind retaliation, often influenced by thoughts, opinions or fears rather than facts,” he said. “This emotionally driven hack-back can have devastating results with innocent casualties.”
When Carder referred to “innocent casualties,” he wasn’t just talking about a few people’s PCs getting viruses. He was referring to a retaliatory action with the ability to devastate densely populated areas. One could compare it to bringing a rooftop sniper to justice by razing an entire city block.
“Cyber exploits offer stunning comparisons to weapons of mass destruction,” he said. “They may be readily available and easily obtainable yet possess the ability to cripple the critical infrastructure and resources, such as power, water and food supplies of an entire nation.”
A cybersecurity Wild West
Ray Rothrock, CEO of the cybersecurity company RedSeal, agrees. “You don’t right a crime by committing another crime. We have a justice system for a reason. Unmonitored retaliation does not work in a modern civil society. One is innocent until proven guilty, and offended individuals do not get to make that judgment.””Creating a cybersecurity Wild West would be a crapshoot, with no clear winners or losers,” he said.
Given these considerations, what recourse do Americans have to prevent themselves from falling victim to hackers? The current hack of the Democratic National Committee’s email server demonstrates that whatever we’re doing now isn’t working, but the experts agreed across the board that hacking back isn’t the answer.