Even as companies are hit by increasingly sophisticated cyberattacks, 82 percent of Influencers say they should not be allowed to "hack back" to retrieve stolen data or shut down computers targeting their networks.
There's been hot debate over companies' rights to defend themselves in cyberspace by taking offensive action. The US government has been reluctant to intervene as foreign-based hackers strike private companies – leaving this type of hacker-on-hacker retaliation a tantalizing option for some victims. But Passcode's pool of experts from across government, the private sector, and the privacy advocacy community warn the strategy, commonly known as "hacking back," could go very wrong.
"Hacking back is the worst option for companies because they don't know who is on the other end of the keyboard nor what capabilities that person has. What may start as simple [intellectual property] theft could, after a 'hacking back' attempt, result in the utter destruction of the entire network," says Jeffrey Carr, president of cybersecurity firm Taia Global. "For a small to medium-sized company, that could put them out of business. For an enterprise, it could cost them hundreds of millions of dollars. People with any life experience usually understand and respect the adage 'never pick a fight with a stranger.' The same adage applies in cyberspace."
It could also spark foreign policy consequences. Hackers could be backed by other nation-states, heightening the prospect of a wider digital conflict inadvertently launched by the private sector. "We should not be looking to escalate a cyberwar; we should be trying to defuse it," said one Influencer who chose to remain anonymous. Another added: "Would we let it happen in the physical world?"
The Passcode Influencers Poll brings together a diverse group of more than 90 security and privacy experts from across government, the private sector, academia, and the privacy community. To preserve the candor of their responses, Influencers have the choice to keep their comments anonymous, or voice their opinions on the record.
Some Influencers drew upon their own personal experiences to explain the potential perils. "I am an old Army cyber guy and I had a boss who, when I was feeling frustrated when I could not respond in kind back to a bad guy who was attacking us, would pull me aside and say, 'You know what, Rick? The enemy gets a vote,' " says Rick Howard, chief security officer for Palo Alto Networks. "Just because you are able to jab back against a cyber adversary does not mean that you should. Do you think the bad guy will just go away simply because you took a swing at him? Do you think he will say, 'Wow, these guys are tough. I guess I will hang up my hacking spurs forever?' More likely than not, you would have succeeded in poking the beehive and you may have unleashed a world of hurt on your organization that it did not need."
Even government organizations where the sole purpose, Mr. Howard said, is to attribute attacks have a hard to doing it with any level of confidence that would warrant an offensive action. "The idea of turning that problem over to a commercial organization who does not have a tenth of the resources is ludicrous," he said. "The result would be to transform the Internet into the Wild Wild West; commercial organizations pointing their cyber six-shooters at any perceived slight rightfully or wrongly." Even then, Howard says, the task should be left to professionals: law enforcement and intelligence. They too "absolutely should not get carte blanche for this kind of activity. There has to be some rules put in place that all citizens understand. There has to be some oversight put in place that regularly reports back to the citizenry about what these forces are doing."
A minority of 18 percent of Influencers said companies should be allowed to hack back after they're hit. "There is a significant spectrum of options for a victim to employ against a cyberattacker; 'shutting down' the computers used in an attack is at the extreme end of that spectrum," one Influencer said. "The fact is, the US government is not responding to vast majority of cyberintrusions, whether for theft or destruction; private companies are on their own, and as such, they should be able to defend themselves in cyberspace. Does the Second Amendment not extend to cyberspace?"
If companies cannot get timely help and protection from law enforcement, one Influencer said, "they should be allowed to take responsible action to mitigate the impact of theft of their data. This should be done with full accountability for any damage to innocent parties."
Companies should be allowed to hack back "but only under strict controls, such as using a bonded, licensed company – perhaps even deputized by an accredited law enforcement agency – which acts on their behalf," suggested Jay Healey, head of the Cyber Statecraft Initiative at the Atlantic Council think tank. "This should start as a small pilot project as the international blow back is likely to be significant."
Who are the Influencers?
Passcode gathered more than 90 high-profile security and privacy experts for the Influencers Poll. Click their names below to learn more about them.
"Hacking back sounds like a great idea until you think about how easy it is to subvert. Today's attackers go to great lengths to hide the source of their attacks. How can any company know they're really hacking their attacker, and not some innocent bystander?" - Matthew Green, Johns Hopkins University
"The idea that someone could 'hack back' without producing unintended consequences is absurd pipe dream promoted by businesses trying to monetize the concept. The millions of innocent people around the world whose machines are unwittingly serving as waypoints or botnet hosts would be the ones who ultimately pay the price." - Chris Finan, Manifold Security
"Today the Internet is the Wild West; with hack back it moves closer to Hobbes' Leviathan." - Jacob Olcott, BitSight Technologies
"Companies should be investing in actual defense mechanisms, not offensive capabilities. Actually doing defense is a far better security tactic than 'hack back.' Additionally, companies tend to have a misunderstanding of how difficult doing offense is and a misunderstanding of what can be gained. Applying the resources to being able to do 'hack back' to security would be a better use of those resources and go farther for the intended goals. Additionally, once data is gone from the network there is rarely any ability to 'retrieve' it or keep it from ending up in the adversary's hands. Executives in companies discussing 'hack back' strategies should focus efforts on empowering and training their people, breaking down cultural barriers hampering security, and aligning efforts to the threats they actually face." - Robert Lee, Dragos Security
"It depends. There are so many possible unintended consequences in hacking back that unless you truly understand what you are doing, it isn't worth the risk. Remember, when you hack back, you are escalating an event with someone who may have far greater skills, resources and evil intent than you. Hacking back should only be done after consulting with legal counsel because this opens a company up to all sorts of complex legal issues – especially if you hack back and find out you’ve made a mistake. Additionally and this is a bit unfair, but if you couldn’t keep someone out of your environment in the first place, what makes you think you have the skill to up the game by attacking back?" - Mark Weatherford, Chertoff Group
"Hey, I've got an idea, let's legalize vigilantism, but only for the one type of crime where people constantly talk about how difficult accurate attribution is. What could go wrong?" - Julian Sanchez, Cato Institute
"This is the role of law enforcement. Allowing a safe harbor for 'hack backs' would be an invitation to abuse competitors and the like. Let's keep the job where it belongs, with law enforcement." - Influencer
"We can't be taking law into our own hands as a general rule. Would need to understand the facts and circumstances. One should always contact law enforcement as fast as possible." - Influencer
"Vigilantism feels good but is rarely effective (for anyone other than Liam Neeson)." - Peter Singer, New America
"While we can imagine cases where it'd be satisfying for companies to do this, madness this way lies. Bad actors almost never directly tunnel into a network; they hide behind hijacked accounts and machines. To contemplate 'hacking back' puts those intermediate accounts and machines more in the crossfire. This isn't to say nothing should be done – ISPs and others can play a helpful role in quarantining the launching pads of attacks that are being used without their owners' knowledge – but hacking back should be off the table." - Jonathan Zittrain, Harvard University
"The legal right to 'hack back' would incentivize an escalating spiral of attacks with almost certain collateral damage to both networks and individuals. In the most sophisticated and damaging attacks, accurately identifying the attacker has proven elusive at best." - Influencer
"Hack back, retaliation, vigilantism. These words not only make for great headlines; they spark heated debate over the appropriate roles of the private sector and government in cybersecurity. Unfortunately, the 'hack-back' debate often obscures a much more fundamental debate over the future direction of US cybersecurity policy. For the past two decades, US cybersecurity has focused almost exclusively on defense – we've dedicated our time and resources to making it harder for our adversaries to penetrate our networks. But strong network fortifications are not fail-safe. Especially against nation-states and other concerted adversaries who are willing to go to almost any level of time, effort, and expense to penetrate a target's network. Defensive measures alone may delay – but are unlikely to prevent – penetration of target networks by concerted adversaries. Focusing exclusively on defense will not solve our cybersecurity problem. We need to raise the costs and risks to concerted adversaries in order to deter their activities. There are many divergent views as to the best way to do this, but one thing is clear: the time has come for a national conversation. Effective deterrence is not synonymous with hack-back, retaliation, or vigilantism. Elements of an effective deterrence strategy include: real-time detection of intrusions (a high likelihood of discovery will deter some would-be intruders) as well as identification and punishment of cyberintruders. In the absence of such consequences, cyberintruders should be expected to continue targeting our networks." - Melanie Teplinsky, American University
"There is a range of activities from passive defense, through more active defense, to offensive tactics. We do need to move to where something more active than today, but perhaps less than full scale 'hack back' is acceptable and even more commonplace." - Influencer
"We're a lot better at offense than defense, so there's a desire to think (in football terms) that the best defense is a good offense. The problem is, in sports you know exactly who your adversary is. In security, your adversary is often just another victim in a chain. This is a job for forensics and law enforcement, not sloppy packet spraying." - Dan Kaminsky, White Ops
"If hack is being defined here as illegal access to information, we need to be wary of vigilante style responses. While it's tempting to see the issue as a matter of self-defense, we need to think beyond individual actors and address the problem through policy that protects everyone." - Influencer
"No one is above the law – and whether it's real-world or digital vigilantism, it inevitably leads to abuses and further problems." - Sascha Meinrath, X-Lab
"This kind of attack - and it is an attack - should not be up to companies. Historically, this kind of action offline has been the purview of law enforcement and defense agencies. - Influencer
"There are several good arguments against hacking back. First, the attacks would have to be regulated, and it would be extremely difficult to develop regulatory regime that would adequately define and limit hacking back. Second, the efficacy of these attacks is likely to be low. Truly determined state-supported will not stop current attacks or be deterred from future ones. Third, there are bound to be mistakes, and private companies will either damage innocent parties or cause inadvertent escalation with state actors." - Adam Segal, Council on Foreign Relations
"I'd be all for hack-back if the private companies doing it were held to the same level of probable cause as law enforcement, but with cyberattacks, attribution is often less than concrete. Legalizing hack-back would spawn an entire industry of cyber-guns-for-hire, and innocents would absolutely be harmed in the pursuit of retribution based on shaky attribution." - Nick Selby, StreetCred software
"Attacks are hard to attribute, and hacking back can lead us to a Wild West on the Internet. It can escalate, and it doesn’t just not solve the larger problem, it creates far more problems." - Rep. Jim Langevin, Congressional Cybersecurity Caucus
"Too often the malicious actors will use a proxy computer or system. You may 'hack back' at another victim." - Jenny Durkan, Quinn Emanuel Urquhart & Sullivan
"Although it is a legitimate question in the current environment, allowing companies to 'hack back' will inevitably lead to conflict escalation, not to mention the potential mess if the counter strikes are directed at the wrong target. This debate exemplifies the confusion reigning in the cyber policy realm, where companies are left to wonder if cyberspace is the new Far West while citizens worry about the overwhelming presence of governments in their lives online." - Camille Francois, Berkman Center
"The rule of law, so to speak, has a purpose. One of which is to distinguish attackers from victims. 'Hacking back' is a bad idea not just from a legal point of view, but also from a technical point of view. Once your data is lost, it can be and will likely be backed up, stored offline, and in multiple servers. You can't actually get it back. Also most organizations don't have the technical prowess to determine who actually hacked them. Hint: it usually isn't whom you think it is at first blush. Finally, best to go through proper channels of insurance, legal, and Justice department. Often, if you are being hacked so are others and sharing threat intelligence and breach is more likely to lead to resolution than hacking back." - Anup Ghosh, Invincea
"I do not believe private companies should 'hack back to retrieve stolen data or shut down computers.' This may be a role for government agents. This sort of 'counter-force' activity is what I believe Admiral Rogers referred to recently when he requested authorities to conduct offensive operations. The target would be adversary hackers, not adversary intelligence, security, and diplomatic targets, which are the primary objectives under existing authorities." - Richard Bejlitch, FireEye
"If you asked the question this way, 'Should private companies being robbed by armed robbers be able to shoot back,' the answer would be no. There is no value to shareholders in companies 'hacking back.'" - John Pescatore, SANS Institute
"No, this would amount to vigilante justice and quickly crosses the line into offensive actions that should be reserved for government and military entities. Companies should actively hunt for intruders into their networks, but actions should be limited to containing and eradicating threats on their own property." - Ely Kahn, Sqrrl
"Most of the time there's a clear line between offensive and defensive cybersecurity measures. Companies should stick with a strong defense. Engaging in offensive tactics puts them at risk, especially because they can be duped into attacking an innocent party." - Daniel Castro, ITIF
"The question does not describe reactive measures that take place within the perimeter of victim network, which would require a more facts and circumstances answer---as is generally true of self-defense arguments. The actions referenced take place on the "attacker" network and read like vigilante justice. Such proposals are fundamentally misguided and are certain to result in victims attacking other victims. This will cause problems to spiral further." - Influencer
"Companies should not be hacking back against malicious actors. However, it is unclear what 'hacking back' means in technical, policy, and political terms. More tangibly, the U.S. Chamber supports federal cybersecurity legislation that authorizes businesses to use defensive measures to protect their information systems. Also, the United States needs to clarify and strengthen its cybersecurity deterrence posture, which should reduce, if not eliminate, the need for companies to so-called hack back." - Matthew Eggers, US Chamber of Commerce
"No, since American companies run the risk today of violating US law (CFAA) in hack back cases, though there's probably a fine line between (i) engineering forensics to identify or attribute a system intrusion and necessary defensive security responses, and (ii) retrieving stolen data or disrupting current and future attack paths or sources. For better or for worse, the policy debate may be driven by technical advances and this convergence, and we may see the law adjust accordingly for certain limited responses." - Michael Samway, Georgetown University
"Attribution is far too difficult; even the experts and law enforcement often get it wrong." - Influencer
"Sometimes the best defense can be an offense, particularly with attackers would be difficult to track and bring to justice." - Chuck Brooks, Xerox
"A better answer is, 'sometimes'. You obviously can't 'retrieve' stolen data the way you could try to retrieve a stolen car ... and you wouldn't want the government to empower vigilante 'justice' on a broad scale ... but if a big firm wants to strike back at an attacker, it can easily today hire a third party (often in another country) to do the dirty work on its behalf. That cat is out of the bag already." - Influencer
"Government is and will continue to be late to need here. The private sector needs and deserves more freedom of action." - Influencer
"My answer is a qualified 'yes.' Over 80 percent of critical infrastructure is owned and operated by private interests. Governments also depend on these in support of their missions. It is the height of folly to believe that a national government can either prevent all attacks before the fact, or even be available rapidly enough to address every occurrence. While it would be preferable to design systems from the ground up to be more resilient in the face of attacks, the reality is that the odds are heavily skewed in favor of attackers and against defenders. I am not advocating for completely ad-hoc reckless retaliation after an breach. There are ample precedents in other industries (including long line telecommunications) for companies to maintain defensive capabilities that have sometimes bordered on police powers, and with international scope. Any national conversation of effective cybersecurity deterrence has to take into account the capabilities of private actors with a vested interest in the continued operation of their assets and companies. For those of a historical bent, remember that in the US there is constitutional authorization for 'letters of marque and reprisal.' This was one of a very few mitigation strategies at a time when national navies couldn't be everywhere in the oceans at once, and maritime commerce faced an almost existential threat from piracy." - Bob Stratton, Mach 37
"Yes, but ... there is a lot of policy space in between reactive approaches such as building higher walls and better locks after you've been breached and 'hacking back.' If by hack back the intent is to allow the use of honey pots and beacons to retrieve data for forensics purposes, than yes." - Influencer
"There are three choices: reinforce the CFAA, hint that for the time being hack-backers will not be prosecuted, and change the law. The best choice may be the middle one that allows the private sector to let off steam and complicates the decision-making of the attacker, but removes the US Government from the hack-back decision and hence deflect part of the blame. Keep the policy until the costs exceed the benefits (if they do so at all); then remind everyone the CFAA is still in effect. The other two courses allow no learning (the first because it squelches the activity and the third because it is hard to reverse and looks as if the United States is giving up)." - Influencer
"Sort of yes ... There is no question that a mechanism needs to be developed that allows organizations to disrupt adversaries in their ability to steal proprietary data. But it needs to be controlled in a way that ensures that some form of due process is applied. Allowing companies 'in general' to take these actions is ill-advised. It should be left to 'professionals.' Of course, the definition of 'professionals' is the issue - law enforcement? Certified private entities? Others?" - Rodney Joffe, Neustar
"They can choose to do this, but would have to face the liabilities if they make a mistake." - Influencer
We want to hear from you. Take the readers version of the Influencers poll here.