Should cyberattack victims hack back?
About one out of every two Americans — or most people with a credit card — has been the victim of a cyberattack. Unfortunately, there is a great imbalance of power. The attacker has to be right just once. The defender has to be right all the time. Traditional defense rests on prevention to keep malware out, mitigation to limit damage and collaboration with law enforcement. But many think this is not enough and are calling for giving victims legal protection to “hack back.”
Advocates envision increasingly aggressive actions by the victim or a company operating on the victim’s behalf. They start with identifying the perpetrator then gaining to access the attacker’s computer. Companies could go as far as deleting or recovering information taken from the victim or disabling the attacker’s ability to inflict further damage. Some have suggested inflicting retaliatory damage. But is this a good idea?
Here are a fistful of reasons to “hack back”:
We know who the bad guys are. Cybersecurity companies are well acquainted with those seeking to steal information for profit, whether domestic or foreign. The signatures in their malware are distinctive and traceable.
It’s really only defensive action. The victim only takes action after being attacked.
It’s justified. It is generally legal to employ reasonable and proportionate force to prevent the commission, continuance or completion of a crime. Such physical world rationales as self- defense, hot pursuit and recovery of stolen property, and preventing escape of a fleeing criminal should be transferred to the virtual world.
Government can’t solve my problem. Government does not, and likely never will, have enough resources to protect and help all the private companies under attack.
You can’t win playing only defense. The U. S. government is calling for a policy of deterrence and not just defense. And a few not to: It may be illegal. Federal and California laws similarly prohibit intentionally accessing a protected computer without authorization and intentionally causing damage. But the intent of these laws is to protect computer users — not crime.
Accurate attribution is difficult. In many cases, an attacker uses innocent third parties’ computers to launch an attack.
Significant risk of collateral damage to innocent third parties abounds. Because it is not always possible to attribute the attack, it also can be impossible to protect innocent “zombies” or “cutouts.”
Civil damages: Even if criminal prosecution is unlikely, other ( innocent) companies caught in the crossfire may be far less reluctant to sue.
Retaliation and retribution: If you are going to pick a fight in a bar, it is a good idea to know how it will end. The more sophisticated the initial cyberattack, the greater the likelihood of retribution. Indeed, so- called private actors in China and Russia are, in fact, often statesponsored and resourced. What happens if foreign governments get involved? Will the U. S. government follow suit? Is it better to leave retaliation to the U. S. government?
While the government is working to establish international norms and rules of law, more American companies are asking for the lawful ability to take action on their own. So far, Congress appears willing to authorize companies to engage in only “defensive measures.” Pending legislation protects actions on a company’s own network to block an attack, but specifically excludes actions “designed or deployed in a manner that destroys, disables or substantially harms” another’s information system.
Considering that cyberattacks are a regular occurrence, this is unlikely to be the final word.