Legislation pending in Congress that would offer protections for companies and individuals who seek to “hack back” in retaliation against cybercriminals who have attacked them is a bad idea, contends Alan Brill of Kroll.
The House bill, called the Active Cyber Defense Certainty Act, would make it legal for hacked organizations to infiltrate machines outside of their own network to identify an attacker, disrupt a potential ongoing attack and recover stolen data.
While that may sound like an idea that could help level the playing field for victims, Brill says the legislative effort is a misstep.
“There is no question that [hacking back] sounds like a good thing to do; and the very concept bring smiles to the faces of executives who have been the victims of hacking,” Brill says in an interview with Information Security Media Group. But there are a lot of things can go wrong.”
Attribution Is Challenging
Difficulties accurately attributing a cyberattack make hacking back extremely risky, Brill emphasizes.
Organizations rarely have the technical resources to accurately pinpoint their adversaries, he notes. Cybercriminals often compromise machines owned by innocent third-party intermediaries, so hacking back could potentially harm an unwitting accomplice, he points out.
“When you’re hacking back you may believe you’re going against the hacker, when you’re not. You’re going against some third party who has no idea they’ve been compromised,” Brill says.
In this interview (see audio link below photo), Brill also discusses:
The international implications and risks of hacking back an entity not based in the United States;
When organizations should seek legal advice if considering hacking back;
His opinion on the likelihood of the legislation becoming law.
Brill is a senior managing director with Kroll’s cybersecurity and investigations practice. As the founder of Kroll’s global high-tech investigations practice, he has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions. He’s also the co-author of a report issued by the nonprofit organization Center for Democracy and Technology titled: “Private Sector Hack-Backs and the Law of Unintended Consequences.”