Why Hacking Back is a Terrible Idea
Hacked companies facing financial and reputational harm and even regulatory action often find themselves in the spotlight with little recourse and often without knowing the attacker’s identity. Understandably, a hacked company would want to go after the attackers — proactively investigating an attack, seeking attribution of the attacker, and recovering stolen property.
However, current law makes that difficult.
Most cybercrimes in the U.S. fall under the Computer Fraud and Abuse Act (CFAA), a 1986 law prohibiting unauthorized computer system access. The law effectively makes it illegal for people to access computer systems that don’t belong to them without permission from the owners and places offensive cybersecurity actions solely in the federal government’s hands.
This may all change soon thanks to a bipartisan bill introduced in Congress by Sens. Steve Daines, R- Mont., and Sheldon Whitehouse, D-R.I. Essentially, this new bill would direct the Department of Homeland Security (DHS) to study the risks and benefits of allowing private organizations to go on the offensive in response to cyberattacks.
The bill came after two major ransomware attacks in May targeting critical-infrastructure operators: the Colonial Pipeline attack, which forced a six-day closure of the largest fuel artery on the East Coast, and the meatpacker JBS USA attack, which took some U.S. beef-and-pork processing offline.
Hacking back can involve any of the following three actions:
- Deleting or retrieving stolen data
- Harming the hacker’s system
- Identifying the hacker and reporting them to law enforcement authorities
The Dangers of Hacking Back
While the appeal of taking action against an attacker is easy to see, industry veterans say that private-sector hacking raises several concerns, including:
- Attribution is nearly impossible: Even businesses with significant resources will find it difficult or even impossible to attribute cybercrime activities successfully and accurately. Hackers are masters of obfuscation and typically cover their tracks by spoofing IP addresses and using hacking tools developed by others. It’s also challenging to be certain a computer that seems to be behind an attack hasn’t itself been hacked.
- It’s too easy to cause collateral damage: Incomplete or inaccurate information could also lead to collateral damage at other companies. While law enforcement can easily see that a server is shared by executing a subpoena, private offensive security teams can’t know, making it easy for the wrong systems to be targeted.
- Hacking back would inevitably lead to damaging reprisals: Hackers aren’t going to take attacks on their systems lightly. Having already found vulnerabilities in victims’ digital defenses, they might well exploit more of them if provoked. Allowing companies to go on the offensive and hack back could also make them bigger targets for nation-states and other hackers.
- The damage is already done: Your digital data is highly insecure once it’s stolen, and even if you could locate the stolen data, retrieving or deleting it won’t assure more security because you wouldn’t know whether more copies of your data exist. Furthermore, any data you take off a hacker’s server should be treated as permanently compromised.
- Significant legal ramifications: The bill provides no real protection should something go wrong. In an incident where a company accidentally harms another person or organization during a hack back, it will most likely result in expensive legal proceedings, reputational damage, and loss of trust. It would also be very risky for companies and individuals who hack back to avoid breaking the anti-hacking laws of other countries or international bodies.
The Best Defense is Proactive Cybersecurity
Ransomware and cyberattacks will only increase in frequency and sophistication – unfortunately, threatening cybercriminals with retaliation is not feasible for companies. Investing in proactive cyber defense is a far better use of a business’s critical IT and security operations resources than hacking back. Many cyberattacks only succeed because companies have failed to patch known vulnerabilities in their systems or adopt basic security policies like two-factor authentication. Organizations can easily identify and remediate any security issues before they become a serious problem by continuously testing security controls.
Alvarez Technology Group can help improve your company’s cybersecurity posture. We can perform a security audit on your systems to discover vulnerabilities, patch them, and upgrade your firmware and hardware for enhanced security. From firewalls, endpoint security to penetration tests, we’ll help you prevent cyberattacks, so you don’t have to worry about performing a hack back. Contact us today to schedule a consultation!