A bipartisan bill introduced last week would have the Department of Homeland Security research what most in cybersecurity refer to as "hacking back": the use of offensive hacking as part of network defense or incident response.
The bill from Sens. Steve Daines, R-Mont., and Sheldon Whitehouse, D-R.I., comes at a time many businesses are at wits end due to the constant onslaught of ransomware and other threats. While the lawmakers wonder if a hack-back strategy could be a powerful deterrent, security experts worry that such reactionary legislation might do even more harm.
Hack back is not a new idea. In 2016, for example, Rep. Tom Graves, R-Ga., introduced the Active Cyber Defense Certainty (ACDC) Act, which would have allowed businesses to return fire on hackers for the purpose of locating the attacker or recovering stolen files. The bill had nine co-sponsors, both Democrats and Republicans.
Whitehouse said via email that renewed interest in hacking back appears to be the result of a tumultuous year of high-profile hacking incidents, ranging from broad Russian and Chinese intelligence intrusions to a dramatic uptick in ransomware.
"The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets," he said. "This bill will help us determine whether that process could deter and respond to future attacks, and what guidelines American businesses should follow.”
The Daines/Whitehouse bill calls for DHS to perform a study on the viability of allowing private entities to take "proportional" actions against hackers under oversight of an appropriate federal agency. DHS would have 180 days to turn in a report.
The bill does not propose a complete framework for hacking back. Generally, hacking back is advocated as a means to generate reconnaissance on who breached a network, rather than inflict a counterattack.
Most people in the security industry range from hesitant to offended.
"I think this is a sensible piece of legislation in the sense that it is focused on asking DHS to do a review of the costs and benefits of allowing the private sector to have a more aggressive, offensive stance and capabilities. That makes sense. I think we'll look forward to seeing what the study has to say and then see what the policymakers do about it," said Tom Gann, chief public policy officer for McAfee. "That said, if the report came back and had a big green flashing light, saying, 'Thou shalt hack back. Go for it.' I would be concerned about that."
"This bill, while providing red meat for 'cyber hawks' is a uniquely bad idea and a direct result of electing legislators that have no background in science or technology," said Mike Hamilton, former chief information security officer of Seattle and current CISO of Critical Insight.
Collateral damage for hacking back
Hackers make every effort not to be caught. Even the lowest sophistication intrusions are routed through hijacked intermediary servers or the Tor network. More sophisticated efforts involve more elaborate obfuscation, including attempts to create misattribution. The Olympic Destroyer malware showed what appeared to be deliberate hallmarks of North Korean hacking operations to mask more subtle markers of Russian operations.
"It is very easy for organizations to make errors in the physical world," said Gann. "It's one of the reasons why individuals are not allowed to just go run down robbers and arrest them themselves because the whole art of investigations - the methodology of arrests, the whole process of convicting these - are all authorities only allowed to the state."
A lot of what happens in hack back will depend on what actions are permitted. Offensive techniques could range from the fairly benign, like attaching a beacon to a file to identify who has opened it, to over-the-top actions likely to be excluded from any law, like crashing the power grid of a country harboring cybercriminals. But any option involves running computer code on someone else's computer, meaning that by coding error or intention, any option could result in damaging a system. It is for good reason that the FBI recently first got a warrant before disabling a large botnet on unknowing victim's computers.
If there is misattribution or if the server being hacked back has been hijacked, that could mean considerable harm to an innocent third party. Hacking back a criminal might mean first rooting around the hospital server they have used to stage attacks.
The more aggressive hacking victims are allowed to be, the higher the risk for collateral damage.
"I could certainly see hack back (or at least the threat of hack back) being a deterrent, and it would bring additional resources and expertise into the fight. I could also see this quickly spiraling out of control and causing collateral damage and further cyber escalation if it is not well regulated and coordinated," said Chris Kubic, current CISO of Fidelis Cybersecurity and former CISO of the NSA.
The Daines/Whitehouse study seeks to tamp down on potential collateral damage by requiring federal oversight. There will be no amount of oversight where hack back does not rely on the private sector handling powers it would almost never be offered in any other venue.
Shadow foreign policy
Many hackers are not American. Many of the intermediary servers used in hacking are not located in America. And many criminal hacking operations, most notably North Korea's government-backed theft ring, have ties to foreign governments
"Allowing the private sector to execute an offensive operation to disable another organization's or another government's cyber capabilities or imposing other digital harm to those other actors really does get you into a gray area. It's a form of warfare. And civilized countries with constitutions reserve war executing operations fundamentally to the public sector," said Gann.
A U.S. firm that inadvertently shuts down Russian critical infrastructure is not just creating conflict between the private sector and Russia, said Gann. It is creating a conflict between the U.S. and Russia, either because the U.S. policy allowed the accident or because Russia assumes the U.S. intended harm.
The same factors would be in play even with allies. Germany will not be thrilled with U.S. enterprises hacking its banks for any reason. Canada will be defensive of its hotel industry. The private sector would be granted a significant leash to impact international relations.
An industry of harm
Hack back comes with costs to the enterprise. One will be a contractor's bill or a staff hacker's salary. The other might come from the second-order effects of turning the private sector into cyber combatants.
“Nation-states know they can back up certain behavior with certain other behavior. The private sector doesn't have any of that. The private sector is potentially going to take an action that could result in a government response. And there's none of the sort of responsibility for how that would then be managed as an escalation path,” said Jen Ellis, vice president of community and public affairs at Rapid7.
If a government launches a counteroffensive against a business, the government is almost always going to win, whether that is through digital jousting or economic sanctions.
Depending on the sophistication of the business, escalating combat with a criminal group could also end badly for an outmatched enterprise.
Some of these fears could be mitigated by only allowing groups fully prepared to sidestep any potential pitfalls to participate in hack back.
“If the government moves forward with this they would want to regulate the hack-back authority to a select set of industry partners who have the insights and knowledge to attribute the attacker, the skills to perform the hack back and defend themselves against a counter-attack, and a proven track record of coordinating their activities with the government,” said Kubic.
The problem, noted Ellis, is that, even in the best of circumstances, agencies would never have full, real-time, operational oversight. And the better regulated the hack-back industry, the more exclusive the service would become.
“There is a poverty line for the security haves and have-nots. The organizations that are above that line are well resourced. If hack back was legal and was in any way effective, what it would likely do is push attackers to focus more on organizations that are below the poverty line,” she said.
Since there are a variety of things hack back could be, there are a variety of likelihoods hack back could succeed at what it sets out to do. However, one central promise a hack-back industry would be making is not something enterprises need a hack-back industry to achieve: it is frequently possible to investigate and attribute hackers without hacking yourself.
“The lack of prosecution today is not because we don't know who they are. The lack of prosecutions are because they exist in safe harbors,” said Ellis.
In the end, proposals like hack back will proliferate as long as enterprises feel as like hackers have an insurmountable advantage.
“Large enterprises feel as if they are in a position where the odds are stacked against them, and they want to be able to do something to sort of take their destiny into their own hands. They want to be able to even the scales a little bit. You can sympathize with that position, but in reality, hack back is just a terrible idea from beginning to end," said Ellis.