Experts describe how hacking back can be done right

A panel of experts at the RSA Conference all expressed support for the idea of hacking back against threat actors, but each offered caveats in hopes of minimizing collateral damage.

SAN FRANCISCO -- The idea of hacking back -- responding to attacks with offensive measures -- has been a divisive topic, but a panel of experts at RSA Conference 2018 all agreed there are reasons to allow offensive counterattacks as long as they are done in smart ways.

Stewart Baker, partner at Steptoe & Johnson LLP, said a major issue is that the laws surrounding hacking back are "something from the 1980s that seemed like a good idea at the time."

He added that laws like the Computer Fraud and Abuse Act created the idea that everyone should be defending their own network, and therefore everyone would be secure. He likened this theory to requiring every person to "buy new body armor every year" as a way to stop street crime rather than having active policing.

"Everybody is huddling behind their walls waiting for people to come over the walls to knock down their walls," Baker said. "And, not surprisingly, that's exactly what people do because they're not really afraid that their attempts to storm the castle are going to lead to punishment."

Baker, who was previously the assistant secretary for policy at the Department of Homeland Security, suggested it may be time to "push governments toward focusing on deterrents," but admitted that, given the budget issues government faces, it can't put enough resources into cybersecurity. In order to make up this gap, Baker said the private sector could take inspiration from "quasi-government actors," like mall cops, bounty hunters and private investigators.

"We need to begin developing an intermediate force subject to some kind of government oversight which, nonetheless, can be hired by the private sector to do response, to do collection of information outside of the network," Baker said. "There ought to be government oversight, there ought to be liability if the private sector actors cause a meltdown in somebody else's network, [and] they need to tell the government what they found."

While the panelists agreed that hacking back options should be explored, they offered different ideas on what offensive countermeasures could look like. Dr. Salvatore Stolfo, CTO at Allure Security, said he wanted to "break the asymmetry and have, for the first time, the adversary pay a cost" by providing attackers with fake data when they are trying to exfiltrate valuable info.

"I want to feed them unbounded amounts of fake data so now they have no clear idea if what they have stolen is real or not," Stolfo said. "That is costly to the adversary. It's a knowledge-based attack. There's really no risk, as well. The data that they've stolen would have no value because they don't know what's real and what's not."

Stolfo said a major way that hackers monetize stolen data is to leak it, so providing fake data would "take the sting out of an attack" and mitigate the publicity that attackers are seeking.

Attribution and risks of hacking back

The experts all noted that the challenge of attribution is a big factor in hacking back being effective and reasonable. Baker was confident that cyber attribution methods are accurate enough to make hacking back a viable option. Stolfo was not as convinced by the accuracy of attribution, which is why he advocated data poisoning as the best hack back method.

When asked whether it was a good idea to respond to offense with offense or if hacking back could result in destabilization or mutually assured destruction, Dr. Angelos Keromytis, program manager for DARPA, said he didn't see hacking back as an offensive action.

"I view this as defense in the sense that I'm trying to increase the attackers' costs," Keromytis said. "If I can force the attacker to play defense ... if I can deny them use of these spread out infrastructures, then I think that's a very stabilizing factor."

"The status quo is itself inherently destabilizing," Baker added.

"We are so susceptible to attack that we are no longer simply at risk of attack from Russia or China, but the Iranians are getting good at this, Hezbollah is going to be good at this, the Turks are going to be good at this," Baker said. "There are increasing numbers of actors who can bring down power grids for at least a period of time, and the lack of ability to respond to that -- to identify the attacker and respond quickly -- I think is going to destabilize us far more than cleanup troubles."

The concept of hacking back has recently gained traction within the U.S. government; a bill called the Active Cyber Defense Certainty Act was submitted by Rep. Tom Graves (R-Ga.) and Rep. Kyrsten Sinema (D-Ariz.) last year -- the proposed legislation has undergone several reviews and revisions since then.

However, the technology industry appears less willing to engage in offensive hacking. For example, the recently announced Cybersecurity Tech Accord, which includes 34 companies, including Microsoft, Facebook and Cisco, pledged to not to engage in any offense in terms of helping governments hack innocent citizens or enterprises, though it's unclear where the organization stands on targeting cybercriminals.

Next Steps

Risk & Repeat: US opens door for hacking back

Dig Deeper on Security operations and management