In mid-2021, members of the Senate Finance Committee introduced Bill S2292, which directed the Department of Homeland Security (DHS) to study the potential pros and cons of allowing private companies to hack back against perpetrators that attack their organizations. Dubbed the “Study on Cyber-Attack Response Options Act,” it looks to answer important questions on attribution, the types of response actions that would be allowed, and what security considerations need to be put into place before retaliation. The Bill is the government’s attempt to address the substantial volume of cyber malfeasance against the United States’ public and private sectors being conducted by both state and non-state actors alike, and have defenders trying to plug increasing amounts of cracks in their cyber security postures. It has become evident that the appetite for combatting cyber-attacks is souring, and that the 24×7 efforts required to provide robust cyber security is waning in favor of more aggressive actions taken by victims.

Bill 2292 is not the first time Congress has tried to write a bill to enable the private sector to hack back. In 2017 and 2019, Congress introduced the Active Cyber Defense Certainty Act (ACDC) that would allow businesses to retaliate against hackers without authorization. These measures included the disruption of hostile activity and monitoring the behavior of the attacker by implanting code in storage and application systems that, once stolen, would activate on the attackers’ computers and enable them to be tracked. ACDC ultimately did not gain traction, as many of the conditions were not well defined, and far too many legal questions were left unanswered or remained ambiguous.

Cybercriminals and state actors routinely victimize private sector entities via a variety of run-of-the-mill and sophisticated cyber activities that result in the theft of sensitive financial, personal, and proprietary data, and the outright theft of money.  No matter the type, these attacks are disruptive and destructive attacks.  Cybercriminals continue to evolve, becoming more organized and professional in their activities  – all the while operating like legitimate businesses. Experts anticipate cyber-enabled crime to flourish for the foreseeable future, estimating that cyber-crime will cost the global community USD 10.5 trillion by 2025. State actors have demonstrated their tenacity when executing cyber-attacks supporting their governments’ national interests, successfully exploiting any organization that falls within their crosshairs. The state of security is grim: the bad guys continue to win the cyber battle, while the U.S. government continues to flounder in trying to defend against their activities.

Moreover, despite noble efforts to help the private sector defend itself via an aggressive information-sharing effort, the government struggles to demonstrate its own ability to improve its own cyber security posture. The best illustration of this struggle is the U.S. government’s “defend-forward” strategy  – which uses entities like U.S. Cyber Command (CYBERCOM) to “proactively” go after attackers like Russian actors and disrupt their activities. The success of this new strategy remains to be seen.  While CYBERCOM has achieved some victories, the war is still ongoing, resembling a cyber game of “whack-a-mole.” As soon as one adversary is put down, another adversary surfaces, which suggests that defend-forward may be a better theory than practice.  One thing is certain: state actors will continue to operate per their respective governments’ directions  – regardless of any compromise of their command-and-control infrastructure.  Indictments may identify attackers and illuminate their nefarious operations, but they certainly don’t stop their activities.

Allowing the private sector to hack-back risks a multitude of consequential responses and likely will not achieve anything but make victim organizations “feel better” about being attacked in the first place. In fact, there are more serious potential problems that can arise from such hack-backs that surpass any “justification” for retaliation:

1. Misattribution and striking back an attacker that is not the true culprit risks reprisal from a separate actor entirely. The difficulty of attribution is longstanding, though not impossible, but requires the victim to be able to identify the offender confidently enough to strike back. Currently, there are no guidelines for making such determination – indicating that hacking-back would be left up to the victim organization’s criteria.
2. Executing a retaliatory disruptive malware attack can cause unintended effects, spreading beyond the intended target and causing more damage than anticipated to collateral organizations. The interconnected information space enables malware propagation, a fact on which some offenders rely (depending on the intent of their operations). One thing is clear when it comes to malware attacks: it’s impossible to get the genie back in the bottle once it’s released.
3. The attacker may be operating out of a friendly nation or using command-and-control infrastructure that utilizes compromised computers of critical infrastructure entities. If due diligence is not exercised, such an incident has the possibility of causing further international conflict.
4. A hack-back can quickly escalate to more disruptive and destructive attacks. Just because the victim may feel the right to conduct a punitive cyber-attack in response to the initial infraction, it doesn’t mean that the offender will stop after retaliation. The offender may elect to escalate and may even call upon other groups to engage in offensive actions against the victim. Perhaps most disconcerting is that the victim may be striking back an offender that is not what he seems. There are several instances where state or state-sponsored actors have been conducting cyber-criminal activities. An attack against one of these offenders could exacerbate an already tense situation, resulting in the victim garnering the closer attention of advanced and well-resourced actors, an unenviable position for any organization.

Further research efforts are required that fully study the intent and purposes of allowing organizations to hack back without legal repercussion. There are many different variables that need to be considered and discussed, as well as scenarios that explore the potential fallouts from hacking back. It’s been often said that cyberspace is the “wild west,” a term that hearkens back to the western United States frontier period often characterized by lawlessness, personal vendetta, and individual codes of behavior. Allowing private organizations to engage in eye-for-an-eye cyber retaliation will only aggravate an information space that is already wrought with malfeasance and offensive activities. Hack-back, it seems, would only exacerbate an already wrought situation.  Given that other nations may follow suit and allow their private sectors to do likewise only increases the probability of hack-backs based on attributions solely based on the defender organizations internal criteria.  Chaotic cyberspace only benefits cybercriminals and state actors to operate with impunity, as it plays to their strengths and experience. They are agile foes that can risk losing resources and operational infrastructure. They can afford to try and fail until they succeed. Organizations are more fixed and less dynamic with more to lose – as any attack can impact their reputations, customer confidence, and ultimately, their bottom lines.

In the end, being able to strike back does not translate into better defense. Its true objective should be to alter offender behavior. If it doesn’t do that, there seems to be no Plan B other than a status quo that is already proving unacceptable. Organizations need to understand and accept that security and defense is a constant state, requiring the investment of well-resourced professionals to do an unglamorous job, in the trenches, day-in, and day-out.  Success may not be measured in a reduction of activity, but in how it is handled, how quickly attacks are mitigated and remediated, and how quickly business is restored to normal operations. A great defense may not be as exciting as a driving offense, but it is the cornerstone of what makes the best teams successful, particularly in the biggest games.  Any championship coach worth their salt would say the same.

 

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

 

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community