“We will explore the possibility of a free market for Cyber-Insurance and make clear that users have a self-defense right to deal with hackers as they see fit.”
It’s just one sentence on the last two pages of the 2016 Republican Party Platform, but it has cybersecurity professionals freaking out over its wider implications.
“If you walk by your neighbor’s house, look in his window, and see the thing he stole from you yesterday, you’re not allowed to break into his house and take it back,” Bruce Schneier, a computer security expert and cryptographer, told InfoRiskToday. “That’s the law. There’s a real reason why we let the police and the justice system handle this.”
Though it seems the GOP platform is suggesting the digital equivalent of exactly that.
In a striking departure from its 2012 vision for cybersecurity — in which the GOP urged the government to share more information on cyber threats and up its defenses — the 2016 platform’s phrasing that users can deal with hackers “as they see fit” suggests the concept of “hacking back.”
And that’s a very dangerous concept, according to many cybersecurity experts.
“What? Oh my god,” one hacker told Tech Insider on condition of anonymity, since he’s a so-called “grey hat” who worries about his own security. “That is crazy.”
The reaction was mainly due to the problem of attribution — a rather messy business in the cybersecurity world. It’s pretty easy to figure out who a thief walking into a gas station and stealing a candy bar is, but that’s never the case on the Internet, since hackers often use proxies and stolen computers to mask who they truly are.
“Hacking back by organizations is a bad idea,” Malcolm Harkins, Chief Security and Trust Officer for Cylance, wrote on LinkedIn. “Bruce [Schneier] is right. It is a truly crazy suggestion.”
If a company was hacked by someone operating from China, for example, how would it actually know that? Without the resources of intelligence agencies and the federal government, it’s much more difficult to know whether the hacker came from China, or if some unsuspecting person’s computer was hacked and now being used to launch an attack.
The grey hat hacker Tech Insider spoke with showed how murky this kind of thing is, explaining that he could hack a computer at Coca-Cola and then use it to break into a network at Yum brands, its competitor. By this platform, it would seem that Coca-Cola hacking back into Yum brands would be a self-defense play.
The hacker said it was possible that an attacker could use one company’s servers to hack another in order to get a response back — a digital “false flag” operation.
Besides its urging for average Internet users to fight back against hackers, it also calls for more offensive hacking operations by the US government in order “to avoid the cyber equivalent of Pearl Harbor.”
That also is seen by experts as a problem, since there are very few rules between nations when it comes to cyberspace. It’s what the President has referred to as the “wild West.”
“The way that this section of the Republican platform is written sounds as though it’s rationalizing the use of force following a cyber-attack by way of defending the country,” former NSA IT architect Will Ackerly told FedScoop. “To that end, any offensive practice would give everyone else in the room the latitude to justify their offensive actions based on the United States’ rhetoric.”
The Republican Party did not immediately respond to a request for comment from Tech Insider.