The Wild West Wisdom and Potential Perils of Hacking Back
One of my favorite Western films is John Sturges' The Magnificent Seven. It tells the story of a poor Mexican village regularly raided for food and supplies by local banditos. The men of the village reluctantly tolerate these incursions until a bandit kills one of them in the latest raid. Deciding to fight back, they set out to buy some guns before the next raid.
Along the way they meet up with Yule Brynner's character, a veteran gunslinger, who convinces them to spend what they have on hired help instead of weapons, because, as he puts it, "Men are cheaper than guns." What follows is an excellent portrayal of human nature with all its sometimes unavoidable shortcomings and inherent nobility.
Although 57 years old, the film has an applicable lesson for today's cybersecurity practitioners, one that bullies know well: If you tolerate bad behavior, you will get more of it.
Taking the fight to hackers
In today's high-tech environment, the bandits are hackers and the food and supplies that they plunder are networks and data caches. Experts say, and most of us accept, that it is only a matter of time before we will all be hacked. Sadly, when it comes to protecting data, many organizations do little more than rely on basic cybersecurity practices, try to maintain a low-profile, and hope for the best.
Such an approach to cybersecurity is unwise. The potential damage from a data breach can be devastating to economic engines large and small, and even lead to loss of life. Last year, Russia-based hackers breached the networks of 100 nuclear and power plants worldwide. In 2015 and 2016, these same hackers managed to shut down power plants in Ukraine, resulting in a loss of electrical power for millions of people.
Even in technologically advanced countries like the United States, intrusions into our power grid occur with disturbing frequency. In July, the FBI and the Department of Homeland Security jointly issued an industry advisory warning of unknown hackers targeting energy companies.
Thus far, most intrusions that security personnel have managed to detect and analyze were just gathering intelligence: diagrams, passwords, reports, and so forth. The real danger is that, with that kind of information, hackers could easily access the operational side of a facility and cause serious long-term service disruptions.
As the stakes of a data breach increasingly escalate, things are changing when it comes to cyber defense. In what many call the Industry's "open secret," more organizations are hiring latter-day Old West gunfighters — hackers who not only defend networks, but intentionally strike back against bad actors.
The process is called "hacking back," and is essentially exactly what it sounds like. Hired gun hackers deliberately go after an attacker's computers and networks to identify them, find or destroy stolen data and, in increasingly more instances, to wreak havoc on the attacker by causing disruptions or full-blown damage to servers and networks.
Companies that engage in this brand of cyber pushback are understandably reluctant to admit to "letting slip the hounds of war." It's just good business to be wary of poking the digital hornet's nests from which hackers sally forth. In many unpublicized instances, however, they are doing just that.
The downside of cyber-recrimination
Truthfully, striking back against cybercriminals is something we all wish we could do. Unfortunately, as enjoyable as it might be to watch ransomware creators and other cyber malcontents suffer the unending torments of Dante's Eighth Circle of Hell, digital revenge is still illegal and for good reasons.
One downside to hacking back is the very real potential of tainting evidence of a cybercrime and blowing criminal investigations. Law enforcement may not have the staff or technical ability to handle complex cyber issues, and it's all too easy to imagine courts dismissing cases because events and timelines are too convoluted to follow.
All a hacker need do is hire a lawyer to claim that the evidence against him (or her) has been altered, or indeed fabricated, by the company who struck back. Prosecutors would have a difficult time sorting out who did what and when and may not be inclined to spend limited resources unravelling these technical Gordian knots.
There is also the potential to hack back against an innocent entity. Fixing blame for a cybercrime is challenging — that's why we leave it to experts in digital forensics. A true corporate nightmare scenario could arise if a company retaliates against a third party who had nothing to do with the original hack. The original target company would find itself buried beneath a barrage of lawsuits for restraint of trade, libel, and slander.
The probability of attacking an innocent is likely, because hackers routinely lay down false and misleading trails to disguise their identity. Imagine the scenario where a disgruntled employee hacks Coke and leaves a footprint pointing the blame at Pepsi. Or a competitor of both companies could decide to throw some gas on an already competitive environment.
Spiraling out of control
The IT ability to blame others already exists. Wikileaks previously exposed the existence of tools, used by our own Central Intelligence Agency, that had the capability to conduct an attack and make it appear as if originated from another country. These tools are very good as masking the origin of a hack and confusing forensic investigators.
A truly horrific scenario could arise if a hacker cunningly pins the blame on a rival nation. The potential for events to escalate beyond the realm of diplomacy could happen overnight, as nations decide they are done playing on the cyber-field and decide to send in conventional forces.
The idea may seem far-fetched until you realize that European Union member states recently drafted a diplomatic document declaring that "serious cyber-attacks by a foreign nation could be construed as an act of war," and that member states could respond with conventional weapons.
And, oh yeah, NATO has also established cyber as a "legitimate military domain" that could trigger Article 5 of its treaty where an attack on one member is an attack on all 29 allies.
A change in the law?
Oddly enough, while hacking back is illegal under the Computer Fraud and Abuse Act (CFAA), there is currently a bill in the House of Representatives that would permit such tactics. The Active Cyber Defense Certainty (ACDC) Act, sponsored by Tom Graves (R-GA) and Kyrsten Sinema (D-AZ), would amend the CFAA to allow organizations access to an attacker's computer or network for identification purposes, as well as to destroy stolen data.
Even if the ACDC becomes law, there is another huge reason for U.S. companies not to hack back: Many attacks originate from foreign countries and retaliation against a hacker could result in violations of international treaties and the laws of other nations. The burden and expense of fighting lawsuits on foreign soil and in foreign courts are challenges that no U.S.-based company would knowingly invite.
Hacking back by U.S. victims would be a field day for attorneys as even more legal questions arise. For example, companies, or individuals, could claim that the government failed to protect them and their property; therefore, they are exercising their inalienable 2nd Amendment rights to self-defense by hacking back.
Other convoluted issues and questions like the "Castle Doctrine," "duty-to-retreat," and "when did the original hack end," would need to be litigated. Additionally, depending on what hack-backers use to engage the enemy, they could also run afoul of wiretapping laws.
Many industry experts consider hacking back a bad idea. Proponents of legalized cyber recrimination say it would make hack backs safer and give government the ability to regulate something that is already happening with increasing frequency.
It is still too early to predict the fate of the ACDC. In the meantime, as bad actors continue ramping up their attacks and the stakes for a data breach continue to climb, more entities are likely to see hacking back as a dubious, but legitimate tactic in the ongoing struggle to both defend against and discourage hack attacks.