Being hacked is a frustrating experience for individuals and businesses, but allowing victims to hack-back against their attackers is definitely a dangerous and ill-advised path.
Compounding the issues is the apparent inability of law enforcement and governments to do anything about it. Cybercrime is expected to reach a dizzying $6 trillion dollars by 2021, according to CybersecurityVentures’s crime report. With so much at risk and so little being done, tempers can quickly rise. Many are asking why not let people and companies hack-back their attackers? Some have gone so far as to say the U.S. Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI) have not declared it to be illegal.
Well, it is. Not only is it illegal, it is a terrible idea fraught with peril and liability.
This is not the Wild West
Individuals are not judge, jury, and executioner. We as a society have long ago decided upon following the rules of due process. Otherwise chaos and victimization run rampant at the cost of people’s rights and liberties. The same will hold true with cyber hack-back schemes.
Foremost, it is extremely difficult, nearly impossible in fact, to know exactly who is hacking you in a digital environment. Security professionals call it ‘attestation’. Knowing who is behind the attack.
In the course of events and investigation, you may see an IP address of the would be assailant, but it could be false. It is easy to ‘spoof’ your identity and appear as someone else. It is trivial to forge credentials or fake an Internet address, email, machine name, network card number, or just about any other form of digital identity. Even if the offending system is properly identified, it could be hacked itself and under the control of others. You may bring down or impact another innocent victim, just like you. Conversely, someone downstream might inadvertently attack your systems, thinking you were knowingly attacking them.
The risks of unintended consequences are very high
What if your hack-back efforts brings down a hospital, critical infrastructure, or a safety system? Innocent people could be injured or even die. Is that acceptable? You may cause more damage and create more victims. Not a very good plan and you have no way of knowing what cascade effects will result. Hack-back actions may end up being disproportionate and viewed as more harmful to the community than the original offense.
Vigilantism is rarely a good path in modern times. People who believe they have the right to dole out justice then begin to define what is a crime and what they can rightfully do about it. The difference between a crime, what is unjust, and something they just don’t like, can get blurred. This is a dangerous slope.
We do not want just anyone to decide what constitutes being ‘hacked’. There are already cases where people take such situations to the extreme and call foul. I talked with one shop owner who thought a customer’s bad review of their product was a ‘hack’ and they should be punished. They wanted to hack-back this persons systems so they could not write any more bad reviews. I was shocked and strongly advised against such actions. I would not want to give them or anyone else driven by emotion, the latitude to then act upon such opinions.
For some it is tough to fathom. Being attacked and choosing to not respond seems cowardice. But as attribution is not clear, it we must withhold from brazen and unguided outbursts. If your wallet goes missing in a crowded stadium, should you start tackling people who you think could have been involved? That will likely get you in far more trouble with the crowd and with law enforcement. At the end of the day I suspect you will either be in a holding cell or the hospital. Either way, you would have time to reflect on your poor decision.
A terrible idea
Hacking people, even those who you suspect are behind attacks against you, is not recommended. The White House describes it as “a terrible idea”. Security professionals, echo the same sentiment. Hacking others, even if they are in the wrong, opens you up to significant liability. Any business or individual who pursues this course should be prepared to pay a multiple of the damage they cause to whomever they hack. It does not necessarily matter if they started it or not. No matter how passionate you might feel in the moment, lashing out with a risk of harming other systems and people is not the best path.
So let’s put this issue behind us and rally our efforts to more productive endeavors. We should be working on how to better predict, prevent, detect, and recover from attacks. Governments and law enforcement must continue to develop better tools to quickly track down culprits, remove their ability to victimize others, and have the tools to gather necessary evidence to properly prosecute cybercriminals in alignment with established laws and justice procedures. Technology should fuel our evolution forward to a better society, not push us back into feudal states of retribution and individual revenge.