Hacking back: Digital revenge is sweet but risky

As cyberattacks increase, victims are fighting back. But retaliation has its own consequences--and may create more damage.

Let's not mince words: Cyberattacks suck. Whether criminals are hacking our passwords, or Anonymous is simply making a statement, the disruptions and data breaches exact a heavy toll in terms of time, money, and security. For example, after the Associated Press Twitter account was hacked and bogus news was posted about an attack on the White House, the U.S. stock market took a nosedive.

The often dire consequences of cyberattacks have the attention of the highest levels of government. Just yesterday, U.S. senators called on the Obama Administration to pursue sanctions against countries believed to be active in cyberattacks. Cybersecurity is one of the issues Secretary of State John Kerry will discuss when he visits Japan this month.

All this talk is great, but back in the here and now, the situation is tough. When cyberattacks occur--and they will--there's little you can do except control the damage. Unless you hack back, that is.

Digital revenge is sweet--and illegal

Loosely defined, "hacking back" involves turning the tables on a cyberhacking assailant: thwarting or stopping the crime, or perhaps even trying to steal back what was taken. How that digital revenge is wreaked, and whether any of it is legal, are issues being actively debated right now--to the extent that anyone wants to talk about it, let alone admit to trying it. But there's one thing security experts can agree on: Hack-backs are a tempting response to a frustrating situation.

Let's talk about the illegal part first. Even if we skip the obvious moral issues around vigilante justice, hacking back quickly runs afoul of the Computer Fraud and Abuse Act. This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal.

"There is no law that actually allows you to engage in an attack," says Ray Aghaian, a partner with McKenna Long & Aldridge, and a former attorney with the Department of Justice's Cyber & Intellectual Property Crimes Section."If you attack an attacker, you're in the same boat," he says.

The only kind of hacking back that's considered tolerable is what you might enact defensively  within your own computer or network. What's clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.

Counterintelligence as a service

Even if companies can't hack back, they can learn more about their assailants. Eric Ahlm, a Security Research Director with Gartner, sees a burgeoning business in gathering information about cybercriminals. "The world of counterintelligence as a service is certainly growing," says Ahlm.

According to Ahlm, the companies tracking the bad guys collect vast amounts of data on Internet activity and can hone in on specific "actors" who engage in criminal activity. "Without touching or hacking the individual, they can tell you how trustworthy they are, where they are, what kind of systems they use," says Ahlm. "They could link a device to an identity."

While private companies cannot take offensive action with any such intelligence, they can use it defensively to thwart suspicious actors if they're found to be sniffing around company data. "Based off your intelligence of who's touching you," says Ahlm, "you can selectively disconnect them or greatly slow them down from network access." The simple act of slowing down access may be enough to motivate some hackers to look elsewhere.

Fighting back has its risks

Slowdown tactics are routine for CloudFlare, a company that supports websites with performance optimization, security, and other technologies."In the grand scheme of fight-back tricks, this is one that causes relatively little harm but does a lot of good," says Matthew Prince, co-founder and CEO. "If we are tying up a bad guy's resources, they have less time to attack the good guys."

While cybersecurity is an integral part of CloudFlare's business, Prince cautions that any interaction with attackers carries risk. "Some people out there are real criminals. They have a way of fighting back," he says.

Prince cites the example of Blue Security as a cautionary tale. This company drew raves--as well as criticism--for creating a way to spam back at spammers, clogging their systems and preventing them from sending out more spam. But the spammers fought back, unleashing attacks on Blue Security that caused collateral damage on the Internet. The company eventually closed down operations. "You can easily get in over your head," says Prince.

Hacking back may never be legal

Now that data represents the biggest asset of many companies, the desire to protect that data intensifies and makes offensive measures seem almost a business imperative. Could some form of legal justification be far behind? If hack-backs were ever legalized, Aghaian says, "there needs to be proportionality." In other words, the hack-back can't be worse than the original hack.The complexity of determining proportionality, however, is one of many reasons why hacking back may never surmount its significant moral, legal, and practical issues.

Hacking back can also have unintended consequences, such as damaging hijacked computers belonging to otherwise innocent individuals, while real criminals remain hidden several layers back on the Internet. If you hack back and hurt someone else instead, "you have to be willing to bear the consequences and pay for the damages," says Aghaian.

The more prudent approach, says Aghaian, is to focus resources on protecting your data--and prioritizing which data gets the most protection. "Isolate and identify your crown jewels," says Aghaian, "Your chances of protecting that are far better than trying to protect everything."

No matter how frustrating it can be to fend off cyberattacks, the risks of fighting back are significant. You have to identify the perpetrator. You have to figure out the best way to hack back. Wherther or not the hack works, you could face retaliation. While the idea of hacking back is deeply satisfying, its risks remain greater than the potential reward.

Join the CSO newsletter!

Error: Please check your email address.

Tags Anonymouswhite housesecurityCyberattacktwitter

More about Department of JusticeGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Melissa Riofrio

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place