The quickest way to launch the cyber equivalent of a nuclear war is for the targets of cyberattacks to try to “hack back” against their tormentors.
Or, maybe not.
The debate over that has raged for decades, with a majority of security experts arguing that the difficulties of attribution and the dangers of escalating retaliatory counterattacks make hacking back a losing proposition.
But what if it didn’t involve trying to corrupt or destroy an attacker’s network? What if it wasn’t exactly “kinder,” but was a bit “gentler,” involving intermediate-level responses like so-called “naming and shaming” of perpetrators, or blocking access to U.S. markets of foreign companies that benefit from cyber espionage?
A recent paper by father and son, Jeremy and Ariel Rabkin, titled "Hacking Back Without Cracking Up," seeks to make that case – that it is not only possible to hack back (what some call taking “active defense” measures) without prompting a catastrophic cycle of retaliation, but necessary given that annual losses to American businesses from criminal hacking were estimated at $100 billion two years ago and has increased since then.
They cite former National Security Agency (NSA) head Gen. Keith Alexander’s declaration in 2012 that the cybertheft of U.S. intellectual property is, "the largest transfer of wealth in world history," as evidence that the status quo is unacceptable.
Even more compelling, they say, is that government has not demonstrated the ability to protect private-sector intellectual property.
They contend that passage last year of the Cybersecurity Information Sharing Act (CISA), “vaguely refers to ‘defensive measures’ but neither authorizes nor prohibits actual hack-back tactics. In brief, more talk, no more action.”
This, they wrote, has apparently left the Obama administration, “intellectually exhausted by its effort to assure everyone it is taking the problem seriously – without offending anyone.”
The father and son go to considerable lengths to distance themselves from supporting lawless, Wild West-type counterattacks by proposing that the response be done not by the victims, but by hired professionals – forensic cyber experts with government-approved law enforcement certification, so the retaliation will be measured and much more likely to be against the actual perpetrator.
They cite the cybersecurity firms CrowdStrike and Mandiant, which in 2014 “outed” different hacking groups affiliated with China’s People’s Liberation Army.
The senior Rabkin, a professor at George Mason School of Law, and his son, a software engineer at Cloudera, liken it to a retail store hiring security guards, who have some law enforcement authority against shoplifting or other criminal acts.
In a podcast interview with Stewart Baker, former NSA general counsel, former assistant secretary for policy at the Department of Homeland Security (DHS) and now a partner at Steptoe & Johnson (and an outspoken hacking back advocate), they argued that merely exposing perpetrators could be an effective deterrent – perhaps even spur the federal government to more aggressive action.
Sign up for Computerworld eNewsletters.