By Cristin Flynn Goodwin with Yash Dutt Sharma, University of Indiana (Bloomington) Cybersecurity Risk Management Masters Program
The drumbeat for “hacking back” resurfaces in public policy circles every few years, usually coinciding with a rise in cyber attacks. It’s a logical, emotional response. An attacker has stolen sensitive data, and a security team actively pursues the attacker. It’s entirely predictable when victims, frustrated by the inability to recover their data, start to ask, “How can we fight back?”
Emotionally, it feels justified. Technically, it’s a minefield. From a policy standpoint, it’s an issue that bogs down in liability, unintended consequences, and geopolitics. On the Advancing Cyber Podcast, cybersecurity experts Nathan Case and Stacey O’Mara join host Cristin Flynn Goodwin to debate the pros and cons of hacking back, and the very real risk that collateral damages are greater than the original harm itself.
Finding the actual attacker and limiting harm
As Nathan Case from Clarity pointed out, in the cyber realm, “you don’t know what you’re actually hitting.” IP addresses can be spoofed, compromised servers used as proxies, and innocent third parties made to look like perpetrators. Engaging in a hack-back risks hitting the wrong target, or the right target but with broader consequences, including collateral damage to customers whose data is present on the same device or virtual machine. Cascading effects of an attack can also have broader ramifications, if a victim – or its agent – launch an “offensive” attack against a server and end up wiping the wrong machine, or encrypting information belonging to a large number of companies, taking them offline for a period of time. The wronged victims would find themselves in violation of their terms of service and potentially drawn into civil suits for the attack activity that impacts customers of a service provider or subject to criminal charges.
In a recent paper from the Center for Cybersecurity Policy & Law authored by Stacy O’Mara, she noted that “most critical infrastructure operators lack the personnel, expertise, and tools necessary to hack-back. Without these capabilities, attempts to engage in offensive action could expose organizations to serious risks” which range from legal or retaliatory risk to reputational risk, and the broader societal risk of offensive tactics becoming more commonplace, requiring its own security response and mitigation efforts to address unintended damages.[1]
Experts are justifiably wary
Flynn Goodwin, host of the Advancing Cyber podcast and Managing Partner of Advanced Cyber Law, notes that the largest cloud service providers are not lobbying for the right to engage in offensive cyber attacks. Teams that understand the risks and nuances of attacks, attribution, and unintended consequences are generally not looking for the authority to engage in offensive cyber activity. In fact, these hyperscale cloud security teams will be the same ones cleaning up the mistakes when offensive attacks occur – finding the indicators of compromise, the number of victims involved, and determining with legal teams whether a criminal referral is warranted or terms of service were violated. Sharing information with governments so that they can take action against an attacker is generally more efficient.
Government agencies have the skillsets to engage in offensive technical operations, the legal authorities to ensure proper oversight and operational control of the action, and the ability to engage diplomatically should that be necessary. These processes would be costly for businesses to create, maintain, and insure, and in the case of diplomacy, impossible.
Retribution and escalation
Government retaliation is always a risk from an offensive cyber attack. O’Mara warns, “The offensive operations could be perceived as unprovoked or aggressive,” leading to a cascade of geopolitical tension. Flynn Goodwin noted that when a nation state attacks another nation state online, there are international laws that govern conflict that apply. When citizens or companies are victims of a nation state attack and want to “hack back” there are fewer options on the table, and consequences of citizen or company action may quickly escalate to a national level.
What’s the Alternative?
Victims are angry, cyber criminals are not deterred, and nation state activity will only increase. Rather than engage in digital shootouts, government and industry need to do more to address the loss of intellectual property and data, and the lack of deterrence or punishment for nation state actors and cyber criminals. There are opportunities to change how government and industry currently respond to nation states and cybercriminals. These include:
- Creating a shared taxonomy to define active defense and offensive cyber operations, as the terms mean many different things, and it confuses the conversation.
- Bring the private sector to the table to discuss roles and responsibility for attacks and responses, acknowledging it is not just a government-to-government issue (e.g., Ukraine response and support).
- Incentivizing government and industry to provide early warning of anomalies and new tactics and techniques so that broad guidance can be shared to the community to raise awareness and experts can prepare actual mitigations.
- Creating legal playbooks and articulating clear roles and responsibilities for government and industry considering offensive actions to better assess benefits, risks, and liabilities of any operation.
- Engaging the cybersecurity community (both government and industry) to discuss defensive capabilities against cybercrime and nation state attack capabilities, including:
- Technical defenses that can be deployed at scale to de-platform a cyber criminal or nation state actor for prolonged periods of time.
- Identifying actions that can be “passed up” to national security responders versus those that can be “passed over” to platform providers for remediation.
- Understanding the intersection of privacy and security laws and terms of service clearly articulate rights and responsibilities for offensive cyber actions.
- Clear guidelines for when an action is taken under the direction and control of a government, and when a private sector entity is operating on its own (and the legal consequences of both).
International norms dialogues have talked to the issue of geopolitical restraint in cyber attacks but have failed to create practical actions at a national level and often fail to include private sector interests in a meaningful way. Cyber criminals act with impunity – often for years before criminal cases have some effect – and only then are temporary setbacks rather than cessations. Nation states will never stop. They are tasked by governments to achieve an objective and are committed to success. Ultimately, governments and private sector partners will need to collaborate to find new paradigms to disrupt attacks earlier and in more asynchronous ways in order to have greater impact.
Defense Wins Championships
The famous American football coach Paul “Bear” Bryant is claimed to have said “Offense wins games, defense wins championships.” From a cybersecurity perspective, that statement rings true. Of course, that also means that an entire organization needs to be ready for attack activity, social engineering, and anomalous behavior. There are important best practices that each company can implement today to reduce the risk of attackers getting into the company. That means:
- Applying security patches and migrating away from unsupported software
- Implementing multi-factor authentication (MFA)
- Enabling least privileged accounts (LPA) across the organization
- Segmenting networks and enforcing zero-trust principles
- Training employees to recognize phishing and social engineering attacks
- Limiting help desk privileges and ensuring employee integrity for authentication and access
The vast majority of cyber incidents don’t require elite offensive skills to prevent—they require thoughtful cyber hygiene, consistently applied. Despite the emotion of a cyber attack, we need a strong public-private collaboration, clear policy, and smarter defense, not “hacking back”. In cybersecurity, restraint isn’t weakness – it’s wisdom.
[1] “Stacy H. O’Mara, To Hack back or not hack back” CCPL Offensive Cyber Operations White Paper.docx