A new piece of legislation proposed in October by U.S. Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) would allow Victims of cyber security attacks to “hack back” at perpetrators. The legislation would amend a 1986 law that made it a federal crime to access someone else’s computer without proper authorization. It would call for companies to first report the hack to the FBI, and notify the agency before they can “hack back.”
According to The Hill, “Victims would be able to leave their networks to attribute attacks, disrupt them, retrieve or destroy stolen data and track the behavior of the attacker. They would also, if files were stolen, be able to use beaconing technology to find the physical location of a hacker.”
Cyber security and legal experts have expressed criticism and skepticism about the proposed legislation. It raises a host of legal and ethical questions such as, should companies have the right to mete out cyber forms of retribution or punishment? Should private corporations have the right to engage in cyber offense, instead of only defense? Do companies have the necessary expertise to know who actually attacked them, and how to fairly hack back? And by the way, what kind of hack back would be fair and legal; would courts define some sort of an “eye for an eye, tooth for a tooth” acceptable form of hack back? What if the hackers represent terrorists or a nation-state, but that fact is not realized until after the corporation engages in a hack back; what would be the geo-political implications? For example, this week the US and UK blamed North Korea for launching the infamous May 2016 WannaCry attack; do organizations really feel equipped or willing to tangle with a nation-state group of hackers?
One good aspect of the legislations is that by requiring organizations to notify the FBI, it would make the FBI more aware of cyber security incidents. Furthermore, it would provide some layer of process and accountability; if the FBI is aware of a hack back attempt, perhaps the organizations hacking back would be more fair and judicious in their efforts.
In terms of distributed denial of service (DDoS) attacks, it is typically very difficult for law enforcement to identify the actual hackers, because of the very nature of the attacks; the offending packets come from a distributed network of compromised devices. In other words, the organization or person who possesses a compromised device is not launching the attack, they are just an innocent intermediary, caught up in a DDoS botnet.
Even the FBI can’t easily catch DDoS hackers, so chances are that an independent organization would have a very difficult time tracking them down. Those that are caught tend to be the ones who launched massive, headline-grabbing, volumetric attacks. In reality, the vast majority of DDoS attacks are short, sub-saturating ones that escape the radar of legacy DDoS mitigation solutions. Yet it is those “everyday” stealthy short attacks that can pave the way for hackers to conduct a true security breach that can have lasting, deep impacts on an organization.
Lastly, one has to ask whether it would be a good use of IT security time to hack back. When it comes to DDoS attacks, surely it would be more time and cost-effective to block the attacks with effective DDoS protection rather than to hack back at a nebulous, fleeting enemy in cyber space.
For more information, contact us.