Hacking back: is it a good idea?

Mali­cious hack­ers con­stant­ly attack our IT sys­tems. Spi­ralling streams of malev­o­lent code are sent down the high­ways, byways and inter­sec­tions of the inter­net every day. This shouldn’t be news to any­one; we know this stuff by now. So should we be doing some­thing about it?

Of course, we are doing every­thing we can with secu­ri­ty organ­i­sa­tions around the world mon­i­tor­ing threats and look­ing for net­work vul­ner­a­bil­i­ties all the time.

Let’s put the ques­tion anoth­er way: should we be doing some­thing about the threat of mal­ware in a more proac­tive way? Should we be step­ping for­ward into the realm of the cyber­crim­i­nals and tak­ing them on at their own game? Should we hack back and attack the attack­ers on their own play­ing field?

Is hacking back an opportunity or a threat?

It’s a rad­i­cal idea, but this is a time of extreme change in inter­na­tion­al rela­tions and com­merce, so per­haps it is oppor­tune. There are many ques­tions and dilem­mas here. If we do hack back, will we open up new chan­nels of con­nec­tiv­i­ty to endan­ger those pre­vi­ous­ly sealed off? Is hack­ing back self-reg­u­lat­ing or should we involve the author­i­ties? Does hack­ing back rep­re­sent an oppor­tu­ni­ty or a threat?

The first chal­lenge here is decid­ing where we go to war. Joseph Car­son, chief secu­ri­ty sci­en­tist at Thy­cotic, reminds us that many inci­dents are cross-bor­der in nature and tar­get mul­ti­ple vic­tims around the world in each attack.

This fac­tor, com­bined with the abil­i­ty for hack­ers to cre­ate spoof iden­ti­ties for them­selves, makes attri­bu­tion very dif­fi­cult. Mr Car­son argues that hack­ing back should only be per­formed by gov­ern­ments or law enforce­ment agen­cies. Fur­ther, it should only be done when, with­out doubt, the attri­bu­tion is clear.

“If a pri­vate com­pa­ny starts hack­ing back they could eas­i­ly be tar­get­ing anoth­er vic­tim who is sim­ply a proxy for the orig­i­nal attack, result­ing in dis­as­trous legal issues,” says Mr Car­son. “What if a com­pa­ny decides to hack back and they acci­dent­ly cause a death result­ing from that action? Or they tar­get their hack-back activ­i­ty in the wrong coun­try?”

Risk turning the cyber-universe into a modern wild west

It is the elu­sive nature of hack­ers that makes know­ing where to fight the hard­est part of hack­ing back. Adam Brown, secu­ri­ty solu­tions man­ag­er at Syn­op­sys, says usu­al­ly an attack­er is squat­ting on legit­i­mate ser­vices and tech­nol­o­gy resources inside a law-abid­ing organ­i­sa­tion.

“This real­i­ty makes the reac­tive hack-back attack­er just anoth­er attack­er, so there­fore most like­ly to sim­ply cause more dam­age. There is no sense in attack­ing the attack­ers with the same meth­ods,” says Mr Brown.

There is no sense in attack­ing the attack­ers with the same meth­ods

Richard Ford, chief sci­en­tist at For­ce­point, has been study­ing and pon­der­ing this issue for some time now. Dr Ford points to tech­ni­cal, legal and eth­i­cal quan­daries thrown up, and says if we approach this sub­ject care­less­ly, we stand a good chance of turn­ing the cyber-uni­verse into a mod­ern-day wild west.

“The over­all ben­e­fits of hack­ing back are ques­tion­able at best and even if it works today, you must remem­ber that the attack­er-defend­er rela­tion­ship is co-evo­lu­tion­ary. That is, one responds and evolves based on input from the oth­er. To that end, if hack­ing back worked briefly, in the long term I don’t see it as a viable solu­tion,” he says.

In real-world terms, it is dif­fi­cult to find any work­ing tech­nol­o­gy prac­ti­tion­ers who will admit to hav­ing car­ried out any hack-back pro­ce­dures. Stephen Burke, founder and chief exec­u­tive of Cyber Risk Aware, con­cedes to hav­ing con­sid­ered the activ­i­ty dur­ing his time work­ing as a chief infor­ma­tion secu­ri­ty offi­cer.

“After con­tem­plat­ing hack­ing back, I always very quick­ly came to the con­clu­sion that we could not do it,” says Mr Burke. “Irre­spec­tive of all the legal and eth­i­cal con­sid­er­a­tions, it always comes down to the ques­tion of whether we could be absolute­ly sure of who attacked us? Irrefutable evi­dence, beyond rea­son­able doubt, is hard to come by here.”

Hacking back will never succeed in levelling the playing field

The incon­ve­nient truth is that cyber­crim­i­nals are high­ly anony­mous and cov­er their tracks very care­ful­ly using encryp­tion and inter­na­tion­al cross-bor­der routes that are incred­i­bly dif­fi­cult to trace. They will often make the source of an attack look like it came from a spe­cif­ic part of the world, often for pro­pa­gan­da pur­pos­es, or even anoth­er company’s or country’s net­work, when it has in fact been used as a stag­ing post, for exam­ple the sus­pi­cion that it was North Korea that attacked Sony Pic­tures.

“The oth­er side of all of this is, if you do attack, what hap­pens then? What if they attack back even hard­er than before? Are you pre­pared for this and the respon­si­bil­i­ty of hav­ing to explain your actions to all the stake­hold­ers in the busi­ness? These are very big ques­tions and no mat­ter the answer, I could nev­er get beyond rea­son­able doubt,” says Mr Burke.

There is very lit­tle con­sen­sus to sug­gest that hack­ing back should form any sig­nif­i­cant part of the next tech­nol­o­gy rev­o­lu­tion. Art­turi Lehtiö, ser­vice tech­nol­o­gy lead for cyber­se­cu­ri­ty con­sult­ing at F‑Secure, points out that this isn’t a ques­tion of offence ver­sus defence. Cyber­crim­i­nals focus 100 per cent on attack­ing tar­gets, while com­pa­nies focus on busi­ness and, where pos­si­ble, cyber­se­cu­ri­ty pro­tec­tion.

Hack­ing back won’t change this fun­da­men­tal asym­me­try and we need to recog­nise that the play­ing field is uneven. This is not foot­ball, not dur­ing the World Cup, not ever.