Security Experts:

Connect with us

Hi, what are you looking for?



Hitting Back at Hackers: Debate Swirls on How Far to Go

After a seemingly endless barrage of cyberattacks, debate is heating up on hitting back at hackers where it hurts.

After a seemingly endless barrage of cyberattacks, debate is heating up on hitting back at hackers where it hurts.

Amid calls for ways to punish and deter hackers without sparking a so-called “cyber war,” a panel of experts assembled by the George Washington University Center for Cyber and Homeland Security said in a report Monday that US policies should be eased to allow “active defense” measures by both the government and private sector.

However, it stopped short of endorsing the idea of “hacking back” to disable systems used by attackers.

The panel envisioned measures such as taking down “botnets” that disrupt cyberspace, freeing data from “ransomware” hackers and “rescue missions” to recover stolen data.

The report follows a wave of high-profile attacks against US companies and government databases, and after Washington accused Russia of using cyberattacks to attempt to disrupt next week’s presidential election.

It comes after President Barack Obama called for a “proportional” response to Russia, while leaving unanswered whether this would mean a cyber attack or measures such as diplomatic or economic sanctions.

‘Shooting behind the rabbit’

Former national intelligence director and GWU task force co-chair Dennis Blair said the US has been moving too slowly in its response to cyberattacks.

“We are shooting so far behind the rabbit that we will only hit it if the rabbit makes another lap and comes back to where it was,” he told a conference presenting the report.

Hacking Back

Some analysts argue that hackers and states responsible for attacks should get a taste of their own medicine, and that US laws should be amended to allow for hacking back at the cyber criminals.

Some proposals call for private security firms to be “deputized” to carry out legally sanctioned hack-back operations when private firms are victimized.

“Department stores hire private investigators to catch shoplifters rather than relying only on the police. So too private companies should be able to hire their own security services,” said a Hoover Institution paper written by scholars Jeremy Rabkin and Ariel Rabkin.

“There should be a list of approved hack-back vendors from which victims are free to choose.”

Juan Zarate, a former White House national security advisor who now works with the Foundation for Defense of Democracies, said such a model for action could be based on the early days of the republic when Congress issued “letters of marque and reprisal” for private merchant ships to bring in maritime pirates.

In an essay last year, Zarate called for a “cyber-privateering regime that rewards, enables, and empowers the private sector to help defend itself in concert with government.”

Others warn of the dangers of empowering private actors to engage in reprisals.

Nuala O’Connor, president of the Center for Democracy and Technology and co-chair of the GWU panel, argued of unintended consequences of authorizing companies to break into outside computer networks.

“I believe these types of measures should remain unlawful,” she wrote, adding that it remains difficult to be sure of cyberattacks’ sources.

“The risks of collateral damage to innocent internet users, to data security, and to national security that can result from overly aggressive defensive efforts needs to be better accounted for.”

‘Cyber shooting war’

Steve Grobman, chief technical officer at Intel Security, also questioned whether private entities should be allowed to take counter-measures.

Because hackers can easily disguise their attacks, Grobman said a questionable retaliation could create an ugly situation.

“What I worry about is a terrorist entity creating an attack that appears to come from a nation state that creates a public push for some hack back and that leads to a live shooting cyber war,” he said.

James Lewis, senior fellow at the Center for Strategic and International Studies, said the United States has pledged to its international partners to steer clear of these kinds of acts in cyberspace.

“We’ve told people the internet should be based on the rule of law, and (hacking back) would undercut that,” he said.

“The question you always want to ask is whether this would make cyberspace more or less stable. This would make it less stable.”

Patrick Lin, who led a study this year for California Polytechnic State University on the ethics of hacking back, said there is “a moral case for hacking back, but an under-developed case for its legality and effectiveness.”

In the report, Lin wrote that while it is difficult to know whether hacking back has deterrent value, “doing nothing, as seems to be the case now, certainly offers no deterrence and likely encourages cyber-attackers to continue preying on others.”

Related: Hacking Back: Industry Reactions to Offensive Security Research

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.