Hacking back. It’s the stuff of movies: a corporate or government network is hacked by unknown parties who make off with critical information. In response, an intrepid technology expert tracks down the bad guys and hacks their network, deleting the stolen data and damaging their systems.
In real life, hacking back might look like a reasonable response to the explosion of data theft and cyberattacks that have been plaguing both private businesses and government agencies. But there are unintended consequences, along with one that’s obvious: it’s illegal for private entities to undertake this kind of attack (NOTE: this is not intended to be legal advice. Please contact the appropriate counsel for advice on all legal matters).
Legislation was introduced in late 2017 to allow some limited form of hacking back, but it has yet to be approved by Congress. And while hacking back might be technically feasible, it opens up a number of technical and ethical challenges that must be addressed.
Still, there are several actions non-government entities can take to actively protect their systems and data. To look at this from multiple angles we spoke with Malcolm Harkins, Chief Security and Trust Officer at Cylance.
Government Technology Insider (GTI): Let’s start with whether this is even practical. Can you identify who attacked you with certainty and then reach out to their network and find and destroy the stolen data.
Malcolm Harkins, Cylance (MH): A lot of people think that you can. But the reality, from what I’ve seen, what I’ve read, and from other experts that have way stronger technical competencies than I do, is that attribution is a difficult problem. There was an article in The Journal of Strategic Studies in 2014 on attributing cyberattacks by Thomas Rid and Ben Buchanan, and they basically conclude that definitive attribution is difficult and maybe impossible.
It’s not an exact science. The Internet was not built for definitively knowing who’s on what end of the other connection.
GTI: We keep seeing on TV shows and movies how bad guys spoof their IP to basically become impossible to trace. So how could you actually figure out who it is attacking you?
MH: Think back just a couple of years ago to the Dyn attack. All these IoT devices affected the internet because they were used en masse as a distributed denial of service attack. Those devices were in homes and businesses. They were compromised to be used as a weapon. So, in some cases the machine that’s attacking you might also be a victim.
We certainly saw that with the breach at Target. It was an HVAC bender who had a network connection into Target. They weren’t intentionally trying to get in to Target. Their systems were compromised, and then that was used as the pathway into Target.
GTI: From a resource perspective, is hacking back even likely considering that most I.T. organizations are focused on preventing data loss and now they would have to also go on the offensive. Is that even a probability?
MH: I think certainly, for some organizations that are exceptionally well resourced, well-funded and have a management philosophy to strike back when they get hit, those organizations probably would, if legally allowed, go down that path.
Now I still think that that’s fraught with issues. And I don’t believe that legalizing hacking back or what’s been called “active defense,” which allows for limited offensive actions, unless it is very tailored and, in essence, has a “Do No Harm” provision (is a good idea), because you don’t know who’s on the other side of what might be breaching or attacking you.
It could make sense to allow ISPs and network providers to bounce systems off a network, (which) you could argue, is an active defense. It might be disruptive to the system that is causing the intrusion, or attack, but it’s also limited in scope and it would be in the hands of a few organizations that would be capable of doing that. But by and large, I’d say legalizing it, that anybody who has a computer who feels like they’re under attack can take offensive measures against what is perceived to be attacking them, I think is a bad idea.
GTI: Playing devil’s advocate, if the bad guys think that their victims can strike back at any time, well, maybe that’s a deterrent. So, let’s talk more about some of the risks of going after the cyber bad guys once they’ve attacked your network.
MH: Well you know, it’s interesting that you mention this because, just in the past week, there was the release of the National Cyber Strategy as well as a summary of the Department of Defense Cyber Strategy. In the National Cyber Strategy, there’s a broader dialogue and discussion around deterrence and in the DoD strategy, there’s a strategy around building a more lethal joint force.
So, I think, from a government perspective and a law enforcement perspective, that’s their role, to do deterrence. Because, with human intelligence, signals intelligence, all the other things that they have at their disposal, the likely probability that they would be more accurate in the attribution as to who to go after is higher. Certainly, under current laws, again not being a lawyer but my understanding is, that would be appropriate for a government or for the military to take lawful action. But I think when you get back into a corporate context or a citizen taking action on their own it’s a bit different.
Let’s take an example like the Target breach from a few years ago. Let’s just say under a law that gets passed or could get passed that says, “Hacking back is fine,” and Target in that scenario hacked back and took out that agency vendor and they didn’t know who was on the other side of it. But let’s just say in this scenario that I’m contriving that the HVAC vendor is also providing remote support and maintenance for the heating and air conditioning for a 1000 person assisted living center in downtown Chicago. And it happens to be the dead of winter with a minus-20-degree wind chill and subzero temperatures. When Target takes out that HVAC vendor, there’s a ripple effect and that HVAC vendor is now unable to do remote maintenance and support on the heating that is required to keep this thousand unit assisted living center warm during that storm. And because of that the heating goes out and a dozen people die.
That that is a contrived scenario. It might be a remote possibility, but it is still a probable, potential outcome in a hack-back scenario depending upon what actions were taken and the ripple effects.
I don’t think organizations can adequately predict the consequences of their actions if they were to actually go on an offensive footing.
GTI: Let’s talk about things that non-government entities can do to take a more active role in protecting themselves, with things like honeypots to lure or redirect unwanted intrusions. What other kinds of active means can commercial firms take?
MH: I think the notion of honeypots, by and large, is a good one, to draw them in to a particular area so you can control their actions, learn, understand, disrupt. That’s not necessarily an offensive action out towards somebody else’s network or device in a way that could harm others. I think the notion of creating a maze inside your network, when you discover that there might be an intruder in your systems, to disrupt, disorient and frustrate their ability to do harm in your systems is OK.
The notion that some have proposed of having a data beacon, so that you know where it is, is also a limited capability that, by and large, would more than likely not cause any real harm, but it would allow you to at least go seek to understand as an organization – with law enforcement and perhaps the appropriate intelligence and military organization, depending upon the context – where that data is, who may have taken it and then what to do about it.
I’m just against the notion – again taking a physical analogy to this – of an equivalent “Cyber Stand Your Ground” law. And a lot of people don’t like me saying that, but I think it could result in that, and therefore I think there’s too much harm that can be done.
GTI: Is there anything else we should consider when we’re talking about this issue?
MH: It’s a vexing issue because there certainly needs to be deterrence and I think there might be active things that organizations can do on their networks to repel attacks by using their systems.
But, when you look at the risk equation of “risk as a function of threat times vulnerability times consequence,” by and large a CISO has no ability to control the threat actor and threat agent. Consequence or impact is what it is, based upon the dependence on technology you have.
So, the only thing that you really have at your disposal is how vulnerable you are. And I think organizations should focus on that. Where do I have vulnerable systems? Where are my security controls not adequately protecting me? What can I do to drive the creation of technology to limit the vulnerabilities earlier in the process to reduce my attack surface?
If we focus on that, we’ll actually make a better bend in the curve of risk than adding to begin a cyber weaponization and arms race by enabling everybody and their brother to take offensive action versus leaving that in the hands of nation-states who can lawfully and appropriately, I think, better weigh the consequence of those type of actions.
GTI: That is always the risk, isn’t it, that somebody strikes your network, you strike back and then it just escalates out of control — you’re almost daring them to get them back again.
MH: Definitely. Take the situation with Sony, and assuming all the news articles are accurate, it was North Korea that went after them. If they had hacked back and launched an attack it would have been against another nation-state. What’s the cascading impacts of that? That’s where I think we’ve got to allow these things to be done by government.
And again, in a limited fashion, there may be some organizations that are appropriate to take those actions, as I mentioned, a network provider. You could argue them bouncing systems off a network that are causing disruption is an appropriate action and it’s a limited action. But by and large, I don’t think it’s a good thing to approve and then encourage any organization and any person with a computer to take offensive action when they feel or perceive or realize that they’ve been breached or that they’re under attack in some way.