Security Experts:

Experts Analyze Proposed Bill Allowing Private Entities to 'Hack Back’

If the average American has the right to defend his home by striking back, why can he or she not defend networks in a similar fashion?

The ‘hack back’ controversy is like a well-rooted weed. No matter how often it is cut down, it always comes back. The latest iteration is a bi-partisan bill (S. 2292) introduced this summer that would require the DHS to weigh up the potential benefits and risks of allowing private entities to ‘hack back’.

The idea persists because it is a form of self-defense – and the right to self-defense goes deep into the American psyche. The nation was founded as a form of self-defense against British imperialist tyranny; the right to bear arms continues the right of the people to defend themselves against any form of tyranny.

If the average American has the right to defend his home by striking back, why cannot he or she defend the network in a similar fashion? Since this is an emotional response to aggression, it will probably never go away.

S. 2292 is cited as the “Study on Cyber-Attack Response Options Act”. It was introduced on June 24, 2021 by senators Sheldon Whitehouse, D-R.I., and Steve Daines, R-Mont. Its purpose is to require the DHS to study and report on the risks and benefits of allowing private organizations to hack back at cyber aggressors, “subject to oversight and regulation by a designated Federal agency”.

This is different to earlier attempts to legalize hacking back. Instead of demanding the right, it is asking the DHS to justify – in some detail – why private entities should not have that right. The DHS is required, within 180 days of the enactment of the Act, to address the impact of hacking back on national security and foreign affairs, and then make recommendations on the federal agency charged with providing oversight, the level of certainty in the identity of an aggressor that would be required, which entities would be allowed to hack back and under what circumstances, what actions would be permissible, and what safeguards would be put in place.

On the surface, the Act appears eminently reasonable, and almost an invitation for the DHS to shoot down the hack back proposal. In effect, it is probably very different. The DHS is unlikely to go into detail on the effect on national security and foreign affairs. Its public response will likely be much weaker than its private certainty.

With relatively weak arguments against hacking back, the rest of the Act simply says, ‘OK, how should we implement and regulate hacking back?’ For opponents of a general right to hack back, this Act is possibly more dangerous than it first appears.

Hacking BackPrivate entity hacking back gets greater plausibility because it mirrors what is already happening at the government level. While still assistant attorney general for the Justice Department’s national security division, John Demers told the Washington Post (July 1, 2021), “The Justice Department is increasingly aiming to disrupt adversaries’ hacking activity rather than just call it out in indictments.” While indictments might name members of Russian intelligence and the Chinese military, the cases will never come to court and the action has zero effect on continuing aggressive cyber activity.

The argument then becomes: if the Justice Department can do it, why cannot experts within private entities do similar under Justice Department oversight?

But despite the longevity of the hack back proposal, the arguments against it remain as solid as ever. In a blog response to S. 2292, Jen Ellis, cybersecurity advocate and community convenor at Rapid7, says bluntly, “There’s a wealth of reasons why hack back is a bad idea.” Top of her list is the impossibility of 100% certainty in attribution. Governments may be certain with their additional sigint from the Five Eyes, but this is not information they can share with the private sector. Without that, “It’s essentially impossible to know for certain that we’ve accurately attributed an attack.”

“We are often fairly sure who did it, but rarely 100% certain,” adds Hitesh Sheth, President and CEO at Vectra; “and if we’re making a case for cyberwar, ‘fairly sure’ isn’t good enough.” 

If hacking back becomes legal, the practice and sophistication of hackers’ false flags will simply increase. Dirk Schrader, global VP of security research at New Net Technologies (now part of Netwrix), is concerned about inevitable and consequent collateral damage. “Unimpressed attackers will only heighten their efforts to hide their traces and the instinct of swift reaction will make it likely an unwitting decoy will be the victim of a hack back attempt.”

If we get innocent collateral damage, what effect will that have on international relations? “This raises questions on how governments will respond when their citizens are being attacked as part of a private-sector hack back gone wrong, and whether it will likely lead to escalation of political tensions,” comments Ellis.

Sheth expands on this idea. “One problem is a lack of governing norms for global cybersecurity — there are no equivalents to the Geneva Convention,” he told SecurityWeek. “A second is the potential for an offensive counterstrike to veer out of control, or escalate in unforeseen, catastrophic ways. Cyber is too new a sphere of warfare for us to predict all outcomes. There are likely to be wheels we don’t want to set in motion.”

Jake Williams, co-founder and CTO at BreachQuest, responds to S. 9929’s query on the effect of hacking back on national security. “Even assuming safeguards could be put in place,” he told SecurityWeek, “hacking back can impact intelligence collection. No government source could possibly be sure that a private organization hacking back wouldn’t interfere with an ongoing US intelligence operation.”

But it’s not just U.S. operations. What about GCHQ and Mossad, and the French, German, Dutch and Australian agencies? “Add to that our intelligence partners,” continued Williams, “and it seems a hopeless problem to solve. Even if the approving federal agency had perfect knowledge of every intelligence operation being performed by the US and its partners, telling a private entity “this time you can’t hack back” would alert them to the fact of the ongoing operation.”

Both Ellis and Schrader believe that rather than attacking the attackers, better defenses should be the way forward. Schrader adds the need for improved international cooperation on cross-border law enforcement. “Efforts directed at increasing the cyber resilience of the private sector, of critical national infrastructures, and the administration are better approaches, combined with international effort to harmonize the illegality of cyber-crime across the globe and to form alliances that enable swift cross-border law enforcement actions to tackle any kind of cyber-crime, including sexual exploitation of children, business email compromise, malware, and all other forms of it,” he suggests.

Rather than hacking back, says Ellis, “Organizations should perhaps focus instead on user awareness training, reducing their attack exposure, managing supply chain risk, proper segmentation, patching, Identity Access Management (IAM), and all the other things that make up a robust defense-in-depth program and that we frequently see fail.”

She gets the final word: “While we understand and sympathize with the desire to do more, take more control, and fight back, we urge policymakers to be mindful of the potential for catastrophe.”

Related: The Active Cyber Defense Bill is Back on the Table

Related: Countermeasure: Hack the Hacker?

Related: Considering the Complexities of Hack Back Laws

Related: False Flags and Misdirection in Hacker Attribution

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.