The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

The Wild West Wisdom and Potential Perils of Hacking Back

The downside of cyber-recrimination


Hack back nuclear plantTruthfully, striking back against cybercriminals is something we all wish we could do. Unfortunately, as enjoyable as it might be to watch ransomware creators and other cyber malcontents suffer the unending torments of Dante’s Eighth Circle of Hell, digital revenge is still illegal and for good reasons.


One downside to hacking back is the very real potential of tainting evidence of a cybercrime and blowing criminal investigations. Law enforcement may not have the staff or technical ability to handle complex cyber issues, and it’s all too easy to imagine courts dismissing cases because events and timelines are too convoluted to follow.


All a hacker need do is hire a lawyer to claim that the evidence against him (or her) has been altered, or indeed fabricated, by the company who struck back. Prosecutors would have a difficult time sorting out who did what and when and may not be inclined to spend limited resources unravelling these technical Gordian knots.


There is also the potential to hack back against an innocent entity. Fixing blame for a cybercrime is challenging — that’s why we leave it to experts in digital forensics. A true corporate nightmare scenario could arise if a company retaliates against a third party who had nothing to do with the original hack. The original target company would find itself buried beneath a barrage of lawsuits for restraint of trade, libel, and slander.


The probability of attacking an innocent is likely, because hackers routinely lay down false and misleading trails to disguise their identity. Imagine the scenario where a disgruntled employee hacks Coke and leaves a footprint pointing the blame at Pepsi. Or a competitor of both companies could decide to throw some gas on an already competitive environment.


Spiraling out of control


The IT ability to blame others already exists. Wikileaks previously exposed the existence of tools, used by our own Central Intelligence Agency, that had the capability to conduct an attack and make it appear as if originated from another country. These tools are very good as masking the origin of a hack and confusing forensic investigators.


A truly horrific scenario could arise if a hacker cunningly pins the blame on a rival nation. The potential for events to escalate beyond the realm of diplomacy could happen overnight, as nations decide they are done playing on the cyber-field and decide to send in conventional forces.


The idea may seem far-fetched until you realize that European Union member states recently drafted a diplomatic document declaring that “serious cyber-attacks by a foreign nation could be construed as an act of war,” and that member states could respond with conventional weapons.


And, oh yeah, NATO has also established cyber as a “legitimate military domain” that could trigger Article 5 of its treaty where an attack on one member is an attack on all 29 allies.


A change in the law?


Oddly enough, while hacking back is illegal under the Computer Fraud and Abuse Act (CFAA), there is currently a bill in the House of Representatives that would permit such tactics. The Active Cyber Defense Certainty (ACDC) Act, sponsored by Tom Graves (R-GA) and Kyrsten Sinema (D-AZ), would amend the CFAA to allow organizations access to an attacker’s computer or network for identification purposes, as well as to destroy stolen data.


Even if the ACDC becomes law, there is another huge reason for U.S. companies not to hack back: Many attacks originate from foreign countries and retaliation against a hacker could result in violations of international treaties and the laws of other nations. The burden and expense of fighting lawsuits on foreign soil and in foreign courts are challenges that no U.S.-based company would knowingly invite.


Hacking back by U.S. victims would be a field day for attorneys as even more legal questions arise. For example, companies, or individuals, could claim that the government failed to protect them and their property; therefore, they are exercising their inalienable 2nd Amendment rights to self-defense by hacking back.


Other convoluted issues and questions like the “Castle Doctrine,” “duty-to-retreat,” and “when did the original hack end,” would need to be litigated. Additionally, depending on what hack-backers use to engage the enemy, they could also run afoul of wiretapping laws.


Many industry experts consider hacking back a bad idea. Proponents of legalized cyber recrimination say it would make hack backs safer and give government the ability to regulate something that is already happening with increasing frequency.


It is still too early to predict the fate of the ACDC. In the meantime, as bad actors continue ramping up their attacks and the stakes for a data breach continue to climb, more entities are likely to see hacking back as a dubious, but legitimate tactic in the ongoing struggle to both defend against and discourage hack attacks.




Calvin Harper is a writer, editor and publisher and has covered a variety of topics across more than two decades in media. Calvin is a GoCertify associate editor.