Tired of being attacked by cyber criminals, some organisations are keen to take the fight back to the hackers. But the risks of ‘hacking back’ are likely to be much greater than any potential gains.
Hacking back against an assailant — perhaps tracking down the systems they are using and either deleting the information they stole or disabling the computers — is currently illegal. But a new survey from Fidelis Cybersecurity has discovered that companies think they have the capability to respond more aggressively to hacking attacks, should they so wish.
Over half of respondents said that companies should be able to hack back, and that their organisation had the technical ability to identify an intruder, infiltrate their systems and destroy any data that had been stolen after a cyber attack.
And over half of executives said that, if it were legal, they would rather hack back to get the decryption keys after a ransomware attack than pay the criminals to regain access to their data.
Despite believing they could take the fight back to the hackers, in reality most businesses don’t have those skills, said Andrew Bushby, UK director at Fidelis Cybersecurity. Top concerns about such a strategy include issues around attribution — identifying the actual perpetrator — and the risk of collateral damage, according to the survey.
Indeed, if companies were financially liable for any damage caused to innocent computers as part of hacking back, 63 percent of execs said their company would be less likely to attempt it, although a gung-ho 15 percent said they would still give it a go.
This is not an entirely academic discussion: in the US, the Active Cyber Defense Certainty Act — currently in draft — would make it legal for hacking victims to return cyber-fire.
The draft law argues that “as a result of the unique nature of cybercrime, it is very difficult for law enforcement to respond to and prosecute cybercrime in a timely manner, leading to the existing low level of deterrence and a rapidly growing threat.”
Under the proposed law, it would be legal for a defender — the victim of persistent unauthorized intrusions — to use “active cyber defense measures” to access the systems of the attacker to gather information for law enforcement, or to “disrupt continued unauthorized activity against the defender’s own network”.
But companies hacking back would not be allowed to “intentionally” destroy information that does not belong to them or “recklessly” cause physical injury or financial loss, or create a threat to the public health or safety. Companies hacking back could not go near government systems either, and would have to notify the FBI before they did anything.
The draft US law also notes that “computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside.”
Recipe for disaster
It’s frustrating that cyber criminals can operate with apparent impunity. But even with the caveats in the law it’s hard to see that allowing victims to try to hack back would be anything other than a disaster.
Hackers don’t launch attacks from their own systems; they find some unsecured servers and use them as a staging post. They might route their campaign through dozens of different systems across the world before finally arriving at the network they really want to attack.
Following hackers back through that labyrinth can take days or weeks, and often the trail goes cold. Hacking back could also ruin the digital forensics needed by law enforcement agencies to actually catch the criminals involved.
It’s easy to come up with scenarios where hacking back goes badly wrong. What if a company chasing hackers comes across the stolen secrets of one its main competitors, for example? What if hackers use the systems of a hospital (or a power station) as a staging post for their attacks, and pursuers accidentally damage or destroy medical records (or safety systems)? What if the hackers turn out to be backed by a nation-state: could hacking cause an international incident or instigate a cyberwar skirmish?
Improving IT security should be the priority: many cyber attacks only succeed because companies have failed to patch known vulnerabilities in their systems, or have failed to adopt basics like two-factor authentication. More money to investigate cyber crime would help too. But giving victims the ability to hack back is only likely to exacerbate the situation.