Security Experts:

Connect with us

Hi, what are you looking for?



Hacking Back: Active Defenses Redux?

Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.

Following a year of high-profile data breaches, continued lack of guidelines for industry-government information sharing and frequent naming of attack victims as culprits by regulators, one might forgive those on the receiving end of cyber intrusions for revisiting thoughts of alternative cyber protective measures.

The Sony Pictures data capture-and-release heist and the reactions that followed may have provided the year’s only comedic interlude in a year of numerically impressive but otherwise gray-flannel suit, button down breaches that swept across a wide swath of corporate America with seeming ease.

In the larger picture, there are many players in a high profile attack, and attribution of blame more difficult. With the FBI fingering the North Koreans as perpetuator of the attacks, a range of detractors claiming otherwise, oft-reversed positions by Sony and high government officials weighing in on the company’s business decisions, one is hard pressed to know where to place the blame for the effectiveness of the U.S. response.

Hacking Back

Noted information assurance authority William Hugh Murray may have captured the spirit of the melee when he categorized the incident as sort of madcap circus where the response of the film exhibitors was “craven,” the media “gleeful” and our government reduced to “the wringing of hands.”

It is at points such as this that the call for stronger response capabilities such as active defenses, also known as “hacking back” begin to look more and more like a rational solution.

Interest in reconsidering changes in cybersecurity methods might also be stoked following several years of continuing changes to national cybersecurity strategy which has left private industry without consistent guidelines to follow in reporting or dealing with cyber incidents. And with increases in cyber incidents up some 215% over the past four years, as noted in a recent DHS report, the issue is only getting larger.

In spite of its poor reputation, hacking back has both its supporters and participants. Tom Kellerman, chief cybersecurity officer for Trend Micro, states “Active defense is happening.” Confirming this belief, a survey at a recent Black Hat USA security conference revealed that an impressive 36 percent of respondents had engaged in “retaliatory hacking.”

If more official sanction for hacking back than from the unconventional, venturesome attitudes prevalent in a Black Hat gathering, such acceptance can be found in a report on intellectual property theft co-authored by Dennis Blair, Obama’s first director of national intelligence. The authors of the study argue that American companies “ought to be able to retrieve their electronic files” which had been misappropriated. Another recommendation was for the government to consider allowing American companies to counterattack following breaches in specific circumstances.

Others call for the government itself to take a stronger role in cyber defenses. An argument for stronger government-driven enforcement measures was heard from National Security director Admiral Mike Rogers, who observed in a recent talk that lax U.S. responses to cyberattacks was leading hackers to believe that there is “little price to pay” for misappropriating U.S. government or corporate data. Adm. Rogers might have thought he was catching the cybersecurity industry at a weak time, as stronger government involvement has long been something many companies are wary of.

A recent Op-Ed in The Wall Street Journal citing President Obama’s statement that cyberattacks are “one of the most serious challenges we face as a nation” leaned strongly toward echoing

Adm. Rogers’ call, proposing that due to its critical importance, cyber defense is rightly a government responsibility.

Given the alternatives of continuing to shore up current processes, bringing in more direct government involvement, or establishing rules for the deployment of active defenses, the latter may seem more and more attractive.

However, even hints of consideration of hacking back measures can easily draw strong, swift responses describing such practices in terms ranging from “reckless” and “illegal” to irresponsibly producing undesired collateral damage.

The overall industry tone of caution around active defenses may be calibrated to defuse the notion rather than taking the argument, buying time for other alternatives to surface. The Washington Post put its attempt at obfuscation this way: “The norms around cyberspace and the technological limits of hacking are evolving so rapidly and unpredictably that it’s tough to really evaluate the upsides and downsides of hacking back. The costs of inaction are clear and substantial, but the costs of expanding the cyberwar to any corporation with an IT department are nearly impossible to judge, which is exactly what makes them so scary.”

One might argue that the absolute necessity of keeping U.S. critical infrastructure functioning would trump such wordsmithing, dictating implementation of “all legal and effective measures” to ensure the country’s national security.

For now, definition of “legal and effective” measures are clearly in a state of flux. But in an encouraging development, Congress passed at the end of its last session The National Cybersecurity Protection Act of 2014. This measure broadens sharing of cybersecurity information and analysis as well incident response assistance from government agencies.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...