To hack back or not to hack back?

Hacking back is an ongoing discussion in the industry. Hacking back is hacking; hacking is illegal. You should never hack anything without permission. Various groups argue for and against hacking back so it is not clear whether one should if one could. But first, what is hacking back? It is essentially hacking the hacker(s) that are hacking you.

The United States Cyber Command publicly states the ability to hack back is required and acknowledge that they have used this ability in their cyber security efforts. Fundamentally the Air Force, the Army, and the Navy all have the ability to return fire. The Rules of Engagement universally allow you to return fire after taking fire so the military’s hack back policy makes a lot of sense.

What about self-defense? If you get punched in the face and your assailant is still coming after you, you need to defend yourself. Self-defense classes teach you to target their eyes, nose, neck, and knees because these areas are vulnerable. Should this strategy also apply in hack back scenarios? We are currently punching bags, hoping we don’t get punched in the face repeatedly but unable to strike back if we are.

Worse yet The Canadian Anti-Fraud Centre estimates that less than 5% of mass marketing fraud is ever reported. Fraud isn’t the only type of cyber crime but in general cyber crimes are reported very infrequently. After all what can law enforcement do anyway? And if they can’t do anything, should you if you have the means?

The information security community generally does not support hacking back. Why is that?

  1. You have absolutely no way of knowing who punched you in the face so who do you hack back at?

  2. What if you hack back against an opponent with far greater resources that your own? For example your university security team tries to hack back at Cobalt Dickens? The situation will likely escalate quickly and not in your favour.

  3. The collateral damage will be excessive. When hackers attack your organization, they attack through other organizations that are already breached. If you hack back and actually attack that breached organization instead of the attacker and they detect it they could decide to hack back at you. Where does it stop?

  4. The internet may not survive an exponential increase of these types of attacks. There are already a good number of attacks being perpetrated but if vigilantism becomes rampant and collateral damage increases greatly, the internet as we know it may cease to exist.

Given these 4 points it’s easy to see why the infosec community is against hacking back.

Food for thought

Hacking is rarely prosecuted criminally. It’s essentially already legal due to extremely low levels of enforcement. Percentage-wise hackers are far less likely to be reprimanded than someone speeding down the highway. Ostensibly hacking is completely legal and if that’s the case how are you protecting yourself from it?