Is hacking back ever a good idea?
Mike Carthy
Cyber security recruitment is broken. Resumes lie. Recruiters don’t vet skills. Interviews are a gamble. Cut through the bullsh*t with real-world cyber challenges before you hire. Start your free trial now ??
So the US government are in the process of drafting a piece of legislation which would - in theory, allow individuals and businesses to 'hack back' following an attack on their networks and systems. At first glance it's a concept that sounds absurd, but upon closer inspection the legislation might actually have some merit.
If somebody were to attack you in the street and you were to hit them back, as long as your response was proportionate to the threat then you'd be entitled to act in self-defence. This is a legally recognised defence that would stand up in court if the police tried to hold you criminally responsible.
Of course though as we know, digital attacks aren't as straight forward. In the previous example, we can clearly identify who's attacking us and respond appropriately. However in the digital world, this isn't as simple. The main problem faced by those responding to any kind of digital attack is one of attribution.
Offense is often the best form of defense
Consider this for a moment: if the world's leading intelligence services are unable to identify the source of a ransomware attack like WannaCry then what chance does the average individual or corporation have? Accurate attribution is often a very complex, expensive and time consuming process that poses a tremendous challenge for law enforcement across the world.
In fact, all but the most amateur attackers will attempt to cover their tracks in one way or another. This can be achieved using anonymity networks like TOR, by employing layered VPN connections and using other compromised networks and machines to launch attacks. In reality, attackers could even be initiating their original connection from an internet connection that's near-impossible to trace (e.g. Public Wi-Fi).
If by some chance you were able to track an attacker down to their originating IP address, then you'd still have to rely on collecting logging information from the network behind it. Reaching this point alone can often take months, if it's at all even possible, so any logging information which may be being kept is often long gone.
Then we also have to consider impersonation. It was reported in the news recently that the National Security Agency (NSA) had the ability to plant misleading signatures into their malicious code to make it look like their malware had originated elsewhere (e.g. North Korea). It's the digital equivalent of staging a crime scene to thwart forensic investigators.
Despite this I do believe this legislation could have benefits, so long as it's written in the correct way. For example, in cases of whaling attacks it may be possible to socially engineer the attackers into revealing their identity. One one particular case, a victim managed to gain access to an attackers machine and used this as a way to gather enough evidence to identify him to police.
In instances where no malicious damage is caused and the counter-attack is made in order to gather evidence and prevent further attacks, then I believe there could be a valid use case. Of course, you've still got the problem of potentially targeting the wrong person or organisation, which could lead to criminal liability in itself.
Who knows whether this draft bill will go through. It's currently open for public consultation - if you'd like to view the draft then you can do so here: https://tomgraves.house.gov/uploadedfiles/discussion_draft_ac-dc_act.pdf
So what do you think about 'hacking back'? Do you think it's unacceptable? Acceptable in some circumstances? Offense is often the best form of defense, but does that logic apply to the digital world too? Share your thoughts in the comments below!
About The Author
Mike Carthy is an entrepreneur and cyber security specialist. He runs a successful business providing cyber security training to some of the world's largest companies, and dedicates his time to helping businesses to understand and tackle cyber threats. He's been featured in publications such as Laptop Magazine, The International Business Times and Computer Weekly.
Follow me on Twitter: @MichaelCarthy
Check out my blog: www.mikecarthy.com
Network Rail: Digitalisation of East Coat, Train & Track Signal Systems
7 年If you can remember a Cruze missile flying through central Baghdad and hitting the Chinese Embassy in Iraq. The CIA claimed the wrong GPS co-ordinates were given to the Navy. Should you wish to believe it, the GPS co-ordinates were correct and the intended target was the Chinese Embassy as it was a collection point for hacking attacks against US defence companies. i.e. stolen information was sent to Baghdad before submission to Beijing. Thus a reverse hack is not always accepted to recover confidential material