Sharing what we learn—it’s our way of giving back.

Developing and managing custom applications, we encounter a variety of needs,
challenges, and perspectives. It’s our hope you find these articles helpful in
guiding your own work and avoiding a few pitfalls along the way.

Hacking-Back

Hacking-Back
Sept. 3, 2018

Cyber-crime against American companies is at epidemic levels. The overwhelming majority of all businesses in the United States have been victims of a hack. Some estimates are as high as 80%. Currently, the cyber battlefield is a largely ungoverned space. Law enforcement is simply not equipped to respond and prosecute fast enough and the military’s scope is limited to national security. That leaves private companies on their own in the aftermath of a cyber attack. 

 

Even in lieu of proper enforcement, decades-old computer security laws are stilldenying companies the means to protect themselves. Until there is a better framework in place, private firms need to be allowed to “hack-back”: that means being given the legal cover to defend themselves and retaliate against cyber criminals during and after an attack.

 

Active Deterrence

 

Opponents of the idea treat it as an indiscriminate retaliatory method that would likely stoke broader conflict, potentially between state actors. The truth is that many hack-back methods are far more nuanced, focusing on “active deterrence” and spoiling the fruits of a hack. 

 

One method calls for attaching a “beacon” to sensitive data. Think of this as a dye pack in a bag of stolen cash. It makes stolen data easier to identify and track. Another is a laying a “honeypot,” or trap, or allowing hackers to steal fake data and then following its movement in cyberspace. These sorts of active defenses can help law enforcement and investigators when it comes time for attribution. Think of it as tracking a burglar’s getaway car rather than waiting for police to tediously reconstruct a crime scene. 

 

In many ways, hacking back is less about retaliation and more about understanding how hackers breached a particular system and exactly what data were compromised. Discovering the tools in a hacker’s arsenal can, for example, expose a zero-day vulnerability and allow developers to patch flaws more quickly. 

 

Reform

 

The laws governing the cyber realm are decades old and are in desperate need of modernization. Licensing hacking-back would be a great place to begin urgently needed reforms. Thankfully, Congressional legislation has been introduced to that end. Senator Sheldon Whitehouse (D-R.I.) recently stated“ we ought to think hard about how and when to license hack-back authority so capable, responsible private-sector actors can deter foreign aggression.”  

 

Until the federal government has the resources and infrastructure in place to stem the tide of cyber threats, organizations must be allowed to defend themselves. High profile data breaches like that of Equifax and Target show that the stakes are simply too high. Congress needs to establish a proper legal framework that permits firms to hit back.

- Brian

Contact Us

Have a question about us or our service? Feel free to
send us a note anytime, or call us during business
hours, Monday - Friday, 9am to 5pm EST.

350 Massachusetts Ave,
Suite 300
Indianapolis, IN 46204

(877) 630-2336