Hacking back is a terrible idea, but companies are still keen to try it

Benjamin Howell, Getty Images
Tired of being attacked by cyber criminals, some organisations are keen to take the fight back to the hackers. But the risks of ‘hacking back’ are likely to be much greater than any potential gains.
Hacking back against an assailant — perhaps tracking down the systems they are using and either deleting the information they stole or disabling the computers — is currently illegal. But a new survey from Fidelis Cybersecurity has discovered that companies think they have the capability to respond more aggressively to hacking attacks, should they so wish.
Over half of respondents said that companies should be able to hack back, and that their organisation had the technical ability to identify an intruder, infiltrate their systems and destroy any data that had been stolen after a cyber attack.
And over half of executives said that, if it were legal, they would rather hack back to get the decryption keys after a ransomware attack than pay the criminals to regain access to their data.

Despite believing they could take the fight back to the hackers, in reality most businesses don’t have those skills, said Andrew Bushby, UK director at Fidelis Cybersecurity. Top concerns about such a strategy include issues around attribution — identifying the actual perpetrator — and the risk of collateral damage, according to the survey.The risks of hacking back
Image: Fidelis
Indeed, if companies were financially liable for any damage caused to innocent computers as part of hacking back, 63 percent of execs said their company would be less likely to attempt it, although a gung-ho 15 percent said they would still give it a go.
This is not an entirely academic discussion: in the US, the Active Cyber Defense Certainty Act — currently in draft — would make it legal for hacking victims to return cyber-fire.
The draft law argues that “as a result of the unique nature of cybercrime, it is very difficult for law enforcement to respond to and prosecute cybercrime in a timely manner, leading to the existing low level of deterrence and a rapidly growing threat.”
Under the proposed law, it would be legal for a defender — the victim of persistent unauthorized intrusions — to use “active cyber defense measures” to access the systems of the attacker to gather information for law enforcement, or to “disrupt continued unauthorized activity against the defender’s own network”.
But companies hacking back would not be allowed to “intentionally” destroy information that does not belong to them or “recklessly” cause physical injury or financial loss, or create a threat to the public health or safety. Companies hacking back could not go near government systems either, and would have to notify the FBI before they did anything.
The draft US law also notes that “computer defenders should also exercise extreme caution to avoid violating the law of any other nation where an attacker’s computer may reside.”Recipe for disasterIt’s frustrating that cyber criminals can operate with apparent impunity. But even with the caveats in the law it’s hard to see that allowing victims to try to hack back would be anything other than a disaster.
Hackers don’t launch attacks from their own systems; they find some unsecured servers and use them as a staging post. They might route their campaign through dozens of different systems across the world before finally arriving at the network they really want to attack.
Following hackers back through that labyrinth can take days or weeks, and often the trail goes cold. Hacking back could also ruin the digital forensics needed by law enforcement agencies to actually catch the criminals involved.
It’s easy to come up with scenarios where hacking back goes badly wrong. What if a company chasing hackers comes across the stolen secrets of one its main competitors, for example? What if hackers use the systems of a hospital (or a power station) as a staging post for their attacks, and pursuers accidentally damage or destroy medical records (or safety systems)? What if the hackers turn out to be backed by a nation-state: could hacking cause an international incident or instigate a cyberwar skirmish?
Improving IT security should be the priority: many cyber attacks only succeed because companies have failed to patch known vulnerabilities in their systems, or have failed to adopt basics like two-factor authentication. More money to investigate cyber crime would help too. But giving victims the ability to hack back is only likely to exacerbate the situation.
READ MORE ON CYBERSECURITYGovernments and nation states are now officially training for cyberwarfare: An inside lookThe new art of war: How trolls, hackers and spies are rewriting the rules of conflictInside the secret digital arms race: Facing the threat of a global cyberwarThe undercover war on your internet secrets: How online surveillance cracked our trust in the webThe impossible task of counting up the world’s cyber armies
Related Topics:
网络安全法学习课堂
Security TV
微博晒家人照片容易招来是非,微博有风险,晾晒需谨慎!如何恰如其分地把握一个信息披露的度呢?
Data Management
信息安全专家不敢用网银,安全专家太过小心谨慎,自己没有被黑的经历,如何来指导他人防黑?在不敢用网银的安全专家不会爆出网银安全事件,就如同实战经验缺乏的信心不足的专家们常讲的,断了电的放在保险柜里的服务器才是绝对安全的。

猜您喜欢

企业安全意识之歌
信息安全培训检测
网络安全法普法宣传 004《网络安全法》的突出亮点
今天开始,韩国对中国人免签,然而期限和条件是……
SETTLERSONLINEMAPS DRISKILLHOTEL
环境Environment、健康Health、安全Safety在线动画教程