The debate over “hacking back” (also known as “active defense”) against criminal cyber attackers has raged for decades. And it doesn’t look like it will be ending anytime soon.
On the pro side are experts like Stewart Baker, former general counsel at the National Security Agency (NSA), former assistant secretary for policy at the Department of Homeland Security (DHS) and now a blogger and partner at Steptoe & Johnson with a cybersecurity practice.
He has, for years, preached that, “defense is not enough,” and that the only way to deal effectively with cybercrime is to make it more costly by attacking the attackers.
On the other side are experts who, as the Washington Post reported last fall, will warn anybody even considering it that most forms of hacking back are illegal under the Computer Fraud and Abuse Act (CFAA) and that, “retaliating could spark full-scale cyberwar, with collateral damage across the Internet.”
That has never convinced Baker. “We will never defend our way out of the current cybersecurity crisis,” he wrote on his Steptoe Cyberblog. “That’s because putting all the burden of preventing crime on the victim rarely succeeds. The obvious alternative is to identify the attackers and punish them.”
Stewart also told the Post reporters that the legal risks are declining – that government officials are more likely to assist those who hack back than to prosecute them. “The government is giving ground silently and bit by bit on this by being more open,” he said.
Indeed, that may be in part because the Pentagon has declared publicly for the first time that it considers offensive cyber actions to be one of its options in conflicts with enemies.
Its latest cybersecurity strategy document says the Defense Department, "should be able to use cyber operations to disrupt an adversary's command and control networks, military-related critical infrastructure and weapons capabilities."
Robert Hansen, vice president of WhiteHat Labs, WhiteHat Security, said another problem with enforcing the CFAA is that, “the law currently is so poorly written that almost nothing we do online is legal. So without consulting a lawyer on everything you do, it's entirely possible that you're breaking the law by not doing something – complicit in a crime, willful negligence, accomplice after the fact, etc.”
Still, on the other side are those like Anthony Di Bello, director, strategic partnerships at Guidance Software, who in a recent post on Dark Reading repeated the warning that hacking back, or what some call “active defense,” is a violation of the CFAA, which prohibits “trespassing” into another computer network.
Beyond that, he argued that defense is indeed enough and, done properly, is more effective than “an ego-fueled war of revenge.”
In an interview, Di Bello said those who disagree with him who responded to his post, “feel there are not sufficient legal channels for recourse.”
He is sympathetic, noting that there are only 1,000 FBI agents in the agency’s Cyber Division who are, “stretched to their limits, and in a sense, leaving victims to consider ways they can take matters into their own hands.”
But, he also cites his firm’s general counsel, Mark Harrington, who has called hacking back, “a form of trespassing, and I don’t think trespassing is going to become legal anytime soon.”
Di Bello and others contend that before organizations even consider going on offense, they need to understand their own environment well enough to detect the presence of invaders, who can remain silently inside a network for months or even years before exfiltrating data or causing other damage.
Indeed, on a panel at the recent RSA conference in San Francisco, Rhonda MacLean, founder and CEO of MacLean Risk Partners, declared that most organizations should assume they have been breached. “If a company tells you they haven’t been breached, they don’t know,” she said.
To have a meaningful debate on the issue, however, requires some defining of terms. Some experts object to the use of “active defense” as a euphemism for hacking back.
Rafal Los, director of solutions research & development at Accuvant, said he believes active defense is a good thing when it means, “the actions a defensive team takes to protect themselves, on their own systems/network and explicitly not hacking back to protect themselves and their assets from attackers.”
In other words, in his view, active defense still means defense.
Los said he believes if defenders do what attackers have been doing – learning about their adversaries’ tactics, capabilities and tools – they will be more successful.
But to do that, he agrees with Di Bello that defenders need to know much more about their own environment.
“Trying to adapt to an adversary without first knowing where our own weaknesses and critical assets lie is worse than futile,” he said, adding that, “knowing externalities is completely fruitless if you don’t know your internals. Period.”
That is also the view of Robert M. Lee, co-founder of Dragos Security LLC, who shares Los’s frustration at the use of “active defense” to describe hacking back.
Lee opposes the hack-back strategy in part because he says most organizations are not very good at it. “If organizations cannot effectively run defense programs and tackle the security basics, they cannot run an effective offensive program,” he said.
“Offense is harder than folks think, and returns less value than actually doing security.”
He also notes that entering a cyber thief’s network is not the same as entering a thief’s physical property to reclaim a stolen item.