As a strategy, attacking one’s enemies as a way to protect oneself has been promoted throughout history as the best kind of defense. This doctrine has been suggested by Machiavelli, Sun Tzu and even Abraham Lincoln when he referred to “…offensive operations, being the surest, if not the only means of defence…” .
The problem is this doctrine of counter-attack doesn’t work well in cyberspace. When a company’s assets are hacked, all a company can do is endure the reputation damage, attempt a quick recovery of compromised assets, address vulnerabilities, harden security and move forward.
Options such as attacking the hackers, “hacking back”, counter-hacking, or the more eloquent “active defense” surely go through the minds of every person dealing with a compromise.
Doing so in the U.S. is illegal. The Computer Fraud and Abuse Act (CFAA)  makes most forms of counter-hacking unlawful. Also retaliation significantly increases the risk of putting the company in the cross-hairs of more hackers and becoming subject to more attacks.
The legal aspect and increased risk notwithstanding, the ability, effectiveness and value of hacking back is questionable.
A key factor is attribution, the ability to identify the attacker with a degree of confidence that doesn’t turn the victimized company into a reckless villain. Even during naive cyber attacks, hackers attempt to hide their tracks either by spoofing their IP addresses or using intermediate, often compromised systems of other organizations as staging platforms to launch their attacks. Counter-hacking the wrong network, IP or another innocent company’s systems would not accomplish anything.
The effectiveness of counter-hacking should be evaluated against the type and might of the adversary. Starting from the least to the most powerful, the first category are opportunistic hackers, individuals that hunt for technological vulnerabilities. Their motivations range from asserting bragging rights in subversive online forums to asking for ransom in bitcoin to return deleted data and restore defaced websites. Their methods are based on blunt attack instruments that scan thousands of networks and system for vulnerabilities, using code and instructions found on the internet. For a company attempting to retaliate against these hackers, it resembles an infinite game of whack-a-mole. And typically the hackers have no assets to attack — launching a cyber attack doesn’t require more infrastructure than a computer and an internet connection.
The second category are professional hackers, or hired guns. These freelancers operate with surgical precision. Their targets are specific companies and their motivation can be industrial espionage or disrupting operations to reduce capability and provide competitive advantage for the hacker’s “employer”. Attribution in this case is very hard as a company attempting to retaliate must distinguish between the attack executioner and the party that paid them.
The third category is state-sponsored hackers. These are literal armies of hackers that deploy coordinated hacking campaigns on a variety of targets and may range from industrial espionage against a country’s entire business sector to the disruption of power plants and electrical grids. The asymmetry of power in this case is so pronounced that companies have little or no chance to accomplish anything by launching a counter-attack against a state ,other than becoming a prime target.
It is clear from the above that hacking back is a lost cause. Yet companies are becoming increasingly frustrated and continue to discuss options for retaliation. If not active counter attacks, perhaps baiting hackers and planting software that operates either as a timebomb or a beacon in fake but sensitive-looking documents. In the first case, the planted software “explodes” after being stolen, infecting the hacker’s files and network similar to dye packs planted in bags of money in banks. In the second case, a beacon software generates location signals, revealing the location of the perpetrator.
While these methods may make potential hackers think twice about conducting operations, they will do very little to thwart their activities.
It is safe to say that a state-to-state adversarial engagement in cyberspace is a completely different matter. The balance of power is different and its resemblance to military combat lends itself to applying more traditional engagement doctrines such as the strategic offensive principle of war. The number of stories of clandestine sabotage as a counter or preemptive attack are increasing.
The unconfirmed release from US and Israel of Stuxnet [3-5], a virus released to impede Iran’s nuclear plants by destroying centrifuges is a case of a preemptive attack. Another, borderline funny, retaliation example is the outing of a hacker by the country of Georgia. Frustrated by continuous Russian cyber attacks, they baited a hacker with software that once stolen by the hacker, took photos of him using his webcam.
While these and many other similar stories are newsworthy and often have political implications, vigilantism has no place in industry. Companies should focus on excelling in their domains of operation. Organizations in all sectors, manufacturing, banking, health and technology should act legally and maintain an ethical advantage against hacking attacks, while acting to harden their cyber defenses and make it as hard as possible for hackers to profile, attack and profit from their crimes.
- “From George Washington to John Trumbull, 25 June 1799,” Founders Online, National Archives, last modified February 1, 2018, http://founders.archives.gov/documents/Washington/06-04-02-0120. [Original source: The Papers of George Washington, Retirement Series, vol. 4, 20 April 1799 – 13 December 1799, ed. W. W. Abbot. Charlottesville: University Press of Virginia, 1999, pp. 156–159.]
- Computer Fraud and Abuse Act of 1986, U.S. Code, Title 18, Part I, Chapter 47, § 1030
- Ellen Nakashima, Greg Miller, and Julie Tate; June 19, 2012; “U.S. Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say;” The Washington Post; http://www.washingtonpost.com/world/national-security/us-israeldeveloped-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html.
- David E. Sanger, June 1, 2012, “Obama Order Sped Up Wave of Cyber Attacks Against Iran,” New York Times, http://www.nytimes.com/2012/06/01/world/middleeast/ obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0
- Joby Warrick; February 16, 2011; “Iran’s Nuclear Natanz Facility Recovered Quickly From Stuxnet Cyber Attack;” The Washington Post Online; http://www.washingtonpost.com/wp-dyn/content/article/2011/02/15/AR2011021505395.html