Are we interested in living in a cyberpunk world where corporations legally "hack back" at adversaries they believe launched a cyberattack against them? While that sounds a bit melodramatic, U.S. Congress has considered bills that could allow this.
Back in 2017 and 2019 there was a proposed bi-partisan bill called the Active Cyber Defense Certainty Act (ACDC), colloquially known as the “hack back” bill. ACDC acknowledges U.S. businesses now face more and more cyberattacks while hackers go unpunished. It would let organizations retaliate in certain circumstances, potentially spotting incoming threats or recovering stolen data. And it hopes to add an exception to the Computer Fraud and Abuse Act (CFAA), allowing companies to use “beacons” that could help track cybercriminals. In short, it would open the door for corporations and private entities to go on the offensive.
While the ACDC Act hasn’t gone forward since 2019, last summer some Senate Finance Committee members introduced a bill instructing the Department of Homeland Security (DHS) to study the potential benefits and consequences of allowing private companies to hack back, called the Study on Cyber-Attack Response Options Act. It asks the DHS questions around attribution and which federal agency would authorize a proportional response, what responses are allowed, and what safeguards it would put in place. Basically, they want to know the advantages and disadvantages of hacking back.
My research team has debated "hack back" for years. Rather than wait for a bill allowing the DHS to do this study, let’s explore my team’s five pros and cons.
- Deliver justice: People are considering this bill because many cyberattacks go unpunished. Because of the complexities of international law enforcement and attributing cybercrimes, many hackers get away with their attacks. The nation really needs to flip this and help find and prosecute the attackers.
- A deterrent: If more attackers got caught some may reconsider hacking systems at all.
- Disrupt attacks: In many attacks, the damage isn’t done until data is sold, or files are irreversibly encrypted. Hack back offers access to the attacker’s infrastructure, allowing organizations to recover encryption keys or disrupt the attack.
- Collect cyber threat intelligence: If an organization gains access to the attacker’s resources, it can learn the tools, techniques, and procedures they use. This valuable intelligence can help all companies prevent potential attacks.
- An alternative to more dangerous responses: Cybercrime has gotten so bad nations are considering more aggressive responses and sanctions. For example, in early October the White House hosted a global ransomware summit with 30 countries, but didn’t invite Russia. Cyberattacks, especially ones like the Colonial Pipeline attack, could someday result in war. The proposed bill could offer a level of justice to help diffuse frustrations before governments take more drastic measures.
- Legal dilemmas: This whole discussion hinges on a bill that would make some "hack back" legal in the U.S., but cybercrime is an international issue. In fact, it’s the international nature that’s currently limiting justice. Furthermore, the ACDC Act tries to limit "hack back" actions private companies would take, but if the bill’s language is too vague, it’s open to interpretation. Essentially, many companies taking the offensive could end up in court regardless of any bill.
- Cyber attribution takes work: Notice I didn’t say impossible. It’s feasible, but because the internet and our technology allow for proxy attacks through intermediaries, knowing who’s attacking the organizations from logs isn’t enough. While most companies have some cybersecurity expertise, attribution requires different skills. Businesses don’t want private companies accidentally attacking victims of another hack, just because that victim’s system was used by the attacker.
- Vigilantism can become a slippery slope: While the ACDC Act tries limiting what type of "hack back" private companies can do, opening this door could allow a flood of other actions. Once an organization has a beacon on its system gathering data, it realizes that some changes could allow for even more. This could be provide and excuse for attackers to commit more cybercrimes.
- Skirmishes turn to wars: While hacking back hopes to deter criminals, some attackers may respond aggressively and up their efforts against the organization in new ways. This could potentially escalate to cyber wars between private companies and criminal groups.
- Private companies can attack nation-states: Private citizen criminal attackers launch most cyberattacks. However, we’ve seen nation states participate in private cybercrime before. For instance, North Korea attacked Sony, and some believe they were behind the WannaCry ransomware. What if a company attacks a state-sponsored cyberattack team? That could quickly result in a political nightmare.
These are just some pros and cons my team has discussed. Overall, as tempting as "hack back" sounds, we aren’t convinced it would work out the way people hope. We encourage people in our industry to critically think about the choices before us.
Corey Nachreiner, chief security officer, WatchGuard Technologies