Hacking Back: Risks, Challenges, Legalities, and Alternatives for Active Cyber Defense

The never-ending episodes of data theft and cyber attacks that have been plaguing both private businesses and government agencies seem to be completely one-sided. That is, bad actors attack a company or government agency, and the best that can be done is to try to fend them off or, at least, quickly recover from the incursion.

Hacking back – that is, attempting to identify and attack the entity that just broke through your defenses – seems like the next step for some organizations to take. But it isn’t that simple.

For the Government Technology Insider Podcast, we spoke with Malcolm Harkins, Chief Security and Trust Officer at Cylance to take a hard look at the realities, risks and consequences (unintended or otherwise) of hacking back. He also brought up some ways that CISOs can take a more active stance to protect their networks.

It’s important to note that, while some government agencies may have the legal authority to initiate or respond to a cyber-attack from an outside party, it is currently illegal for private companies or individuals to do so. For legal advice, please contact the appropriate counsel.

Harkins explained that it’s harder to hack back than people may think. Identifying who perpetrated the attack is extremely difficult. He also noted that, in some cases, the threat actors took over devices or networks which were then used to attack yet another party. Citing the DDoS attack against Domain Name System provider Dyn in 2016, he pointed out that in this case, the “machines that are attacking you might actually also be a victim.” Without definitive attribution, you simply can’t be sure if you’d be retaliating against the correct entity.

Harkins says it might be acceptable, if laws are changed to allow it, for ISPs and network service providers to bounce an attacker off the network, but this would only be in narrowly defined situations with much oversight. For the most part, hacking back is – and should be – the domain of law enforcement, the intelligence community and the military.

So, what can organizations do to take a more active role in cyber defense? Harkins agrees that honey pots, mazes and other methods to control their access and learn, understand and disrupt their activities are good ideas. Data beacons could also be effective, to keep track of where your data has gone if it has been stolen and to provide information to share with law enforcement.

But, he explains, it comes down to CIOs and CISOs understanding their vulnerabilities and focus on driving the creation of technologies and procedures to mitigate them. That, he states, would make a “better bend in the curve of risk than cyber weaponization” – preventing an “arms race” that could have dire consequences.

Listen to the podcast here: