I’m back from a short vacation and still crawling out from under a pile of email and meetings, but I wanted to get back on track with the weekly blog post. While I was sitting poolside near the Everglades, I spent some time thinking about the terms “cyber war” and “cyber defense.” People, especially in the press, use both terms a lot but I don’t think we all share the same definition and concepts that are behind them.
One concept deals with self defense in a cyber scenario. This concept is called “hack back” in security circles and has recently been included in discussions under the umbrella term of “offensive cyber operations.” Basically, the term asserts the right for people, business, and governments to hack the hackers, actively protecting intellectual property by using hacking tools to find and retrieve data. In real terms, however, it’s the cyber equivalent of “I think you stole my stuff, so I’m going to break into your house to take it back.”
I’ll get right to the bottom line and state that I think hack back is a bad idea that’s being tossed around by people who haven’t thought it through. I understand that businesses are frustrated by hackers (both of the criminal and the state-sponsored varieties) and they jump to the conclusion that they can protect themselves better than government is doing it now.
Whatever the motivation, the act of striking back in an environment as broad and anonymous as the Internet is likely to make more problems than it solves. As Rep Mike Rogers (R – Michigan) said “I get very, very concerned about an unleashed private sector doing active defense, because a lot of things are going to go wrong.”
Let’s look at the issue a little closer. First off, hack back is illegal. The Computer Fraud and Abuse Act of 1984 makes any kind of hacking akin to trespass. The problem in this case is that the law is ambiguous and the advocates for changing it stress that it’s about the computer and they want to reclaim the data. Recently, there have been suggestions that would legalize hack back to a certain extent, but the consequences are frightening. As James Lewis, a senior fellow with the Center for Strategic and International Studies said, It would “Create the risk that some idiot in a company will make a mistake and cause collateral damage that gets us into a war with China.” . In short, hack back is not the same as trespassing due to the indirection of the attacks and the global nature of the Internet – digital self-defense is not the same as physical self-defense because you can’t always be sure of the target.
Second, is hack back really feasible? How do you know who stole your data? How do you know where they hid it? I see attribution as the biggest obstacle to hack back. If I get hacked and I counterattack against the wrong person, I’m just as guilty as the original hacker. What’s more, what if I counter attack and find myself in a hacking competition with the People’s Liberation Army? Who is going to save me then?
Finally, there are alternatives to direct action. Placing self-destruct failsafes or “phone home” beacons on critical data are feasible, but a more effective approach would be to actually use best practices in designing, operating, and maintaining our information systems. Why should a business be allowed to hack back if they can’t figure out how to apply patches or implement a password policy? Teaching system admins and network engineers how to implement security features within a user-accommodating mindset is the key. Security should be viewed as a critical enabling factor, not as a threat to productivity.
In the end, the debate is likely to go on for a long time but isn’t going to change soon. We’ll likely lots of rhetoric but I think that the offensive stuff will stay in the hands of nation-states.