Under attack! Should your company ever “hack back”?

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

The threat of cyber attacks targeting businesses, specifically those breaches orchestrated by nation states and highly sophisticated hacking gangs, has never had a higher profile.

Barely a week goes past without several reports of private sector organisations that have fallen foul of a targeted attack, and ended up having their data stolen, their communications spied upon, or their business disrupted.

Many of these organisations will have put layered defences in place, designed to minimise the opportunities for a hack to succeed, but still not managed to keep a determined and capable adversary out of their network.

You can imagine the frustration felt by some companies who have found themselves hacked.

Many of these organisations will have hired skilled security professionals, who may have a deep knowledge of the techniques used by hackers to gain unauthorised access to systems.  Some may even be trained in penetration testing (also sometimes known as “white hat hacking”), and have experience uncovering vulnerabilities in systems.

Are companies missing a trick?  Could they not use these tech skills to penetrate their attacker’s own computer systems, which may suffer from their own vulnerabilities, launching a counter-attack which could potentially knock out their adversaries’ infrastructure?

After all, according to Stewart Baker, the former general counsel of the United States National Security Agency (NSA), “If you want to deter attacks, you’ve got to be prepared to do something to the attackers that they fear.”

And what’s more scary for a malicious hacker than being hacked?

There are some politicians who believe that private companies should be allowed to “hack back.”

For instance, in August, US Democrat Senator Sheldon Whitehouse told a congressional hearing that, in the fight against foreign digital adversaries, Congress should permit “capable, responsible private-sector actors [to] deter foreign aggression” as a form of “active cyber defense.”

It’s an idea that keeps cropping up.

Earlier this year, in April 2018, Google and Microsoft teamed up to urge the Governor of Georgia to veto a computer crime bill that would have potentially allowed firms to engage in offensive hacking in the face of an attack.

The tech giants argued successfully that the bill would “make Georgia a laboratory for offensive cybersecurity practices that may have unintended consequences and that have not been authorized in other jurisdictions,” and that it “could easily lead to abuse and be deployed for anti-competitive, not protective purposes.”

The fear, clearly, is that overseas hackers could not only steal data and disrupt private businesses, but could also abuse social media systems for political ends, meddle in elections, or even disrupt critical infrastructure such as the power grid.

Those are genuine and understandable concerns, but that doesn’t make it right in my opinion for private businesses to engage in their own counter-attack hacking activities.

For one thing, do you really want to get into a battle with a determined and sophisticated (and possibly state-sponsored) hacking gang?  If you found a sleepy grizzly bear in your back garden would you seriously consider poking it with a stick?  Or would you feel more comfortable informing the authorities so they could deal with it instead?

In short, it’s all too easy for things to escalate and get much much worse, with hackers striking back even harder.

Additionally, are you sure that you’re hurting the right people?  We all know that attack attribution is very complex, and it’s easy to be misdirected to think an attack is coming from one place, whereas it is truly originating elsewhere.  A counter attack (for instance, a denial-of-service attack launched against an internet server that you believe is co-ordinating an assault against you) could impact innocent parties, or be mistaken for a criminal attack itself that others may wish to counter-attack.

Furthermore, taking the law into your own hands may result in the destruction of digital evidence that would be useful for law enforcement engaged in what may be an expensive and complex investigation.

In short, the computer crime cops won’t always be appreciative for vigilantes wading in to the fray.

This caution about “hacking back” appears to be shared by at least one top official of the US Department of Defense, who told a conference on Tuesday that although industry and private private citizens should be able to defend themselves, offensive counter attacks against hackers could be a “destabilizing influence.”

When you look at the people you’ve hired in your IT security team there may be some who have the skill set to hit hard back at your attackers.  But be wary of making a bad situation worse.  Defend your computer systems and data the best you can, and leave the rest to law enforcement.