Why the hack-back is still the worst idea in cybersecurity

In 2014, Microsoft aimed to disrupt two botnets created by the malicious NJrat and NJw0rm programs that were responsible for infecting millions of computers.

Claiming harm to itself and its customers, Microsoft took a novel action. The company filed a temporary restraining order against third-party company Vitalwerks Internet Solutions, seizing control of the firm's 23 free No-IP domains. The malware was using these domains to establish a command-and-control network.

Microsoft, believing that Vitalwerks was cooperating with the malware operators, did not first notify the company. "We're taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims," Richard D. Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, stated in a post at the time.

Legislation introduced in March 2017 would allow companies a limited exemption to use technical tactics to pursue attackers and protect data. Here's why this is still a very bad idea.

State of Security Operations 2018

The hack-back's collateral damage

The Microsoft operation worked, but at considerable cost. Vitalwerks had not realized that attackers were using its network, and Microsoft's actions not only disrupted the malware— 93% of which used the No-IP service for communications—but also disrupted legitimate Vitalwerks customers.

Nine days later, the companies reached a settlement, and Microsoft issued an apology. "In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error," the company stated. "Microsoft regrets any inconvenience these customers may have experienced."

The case sheds light on the unintended collateral damage that can occur when companies pursue — attacking back at— criminals in cyberspace. With full legal support, Microsoft rerouted another company's infrastructure, disrupting not just the targeted malware network, but a legitimate business as well.

Making hack-backs routine

Legislation introduced last year could make similar instances of collateral damage more common. The bipartisan bill, known as the Active Cyber Defense Certainty (ACDC) Act, gives individuals and companies the legal authority to take action on servers, networks, and infrastructure they do not own to establish attribution of an attack, disrupt an ongoing attack, protect data, and monitor the attacker.

"At a time when the federal government is struggling to defend its own networks, it's unsurprising that they don't have the capability to respond effectively to millions of cyberattacks targeting individuals and businesses," Rep. Tom Graves, R-Georgia, the primary sponsor of the bill, wrote in a column published in The Hill in October.

"When the lack of response is combined with the changing economic forces making hacking more lucrative for criminals, the trend will only get worse unless changes are made."
Rep. Tom Graves

Hack-back legislation is 

Some security experts argue that private action will not resolve the current imbalance between the ease with which attackers can violate corporate networks and the difficulty organizations have keeping the attackers out.

Most companies lack the expertise to safely conduct an offensive cyber operation, said Chris Porter, chief strategist for FireEye.

"Even when the FBI gets a court order and is careful in doing a shutdown, there is still collateral damage. So you can imagine [that], in the heat of an incident, a company responding to an attack could certainly do a lot of collateral damage."
Chris Porter

Porter explained that attackers would also quickly adapt to a world where companies could hack back at each other, using false-flag attacks to essentially bait one company into attacking another.

"If hacking back became a standard, then the more sophisticated attackers would lead their victims to attack back at the wrong people."
—Porter

Hack-backs are already happening, kind of

Yet experts also acknowledged that many companies are already pursuing attackers in ways that could be considered violations of the Computer Fraud and Abuse Act of 1986. Scratch the surface of many cybersecurity companies' incident reports and it becomes apparent that some security researchers have, for example, logged into command-and-control servers to gather information on attackers.

"It is happening," said Bruce Schneier, chief technology officer of security firm IBM Resilient.

"It is, right now, kind of like international bribery. It is illegal and you can't do it, but it is happening."
Bruce Schneier

In one way, the ACDC legislation aims to make such limited measures legal. The bill would also require organizations and individuals to report their proposed activities to the FBI-led National Cyber Investigative Joint Task Force. In an online introduction to the bill, sponsor Graves underscored that protections are built in to punish companies that use the legislation as an excuse to indiscriminately hack.

"ACDC has a very high standard for cyber defenders," he wrote. "If a defender behaves improperly or recklessly, they will still bear the full penalty of existing law. ACDC does not change the existing penalties for 'unauthorized access'; it merely allows a legal defense for such access in cases where self-defense is clearly justified."

Servers serve up international problems

Yet a majority of hacking incidents involve groups that attack from servers outside of the US—and outside the jurisdiction of the ACDC legislation. Pursuing such attackers to servers hosted in other countries might be exempt from U.S. law if ACDC passes, but not laws in the country where the server resides, said Josephine Wolff, assistant professor of public policy at the Rochester Institute of Technology.

In an October 2017 column for Slate, Wolff excoriated attempts to legalize private attacks:

"You have to ask: Did the companies violate US law? Did they violate Chinese law?" she said. The ACDC bill would be "a US law, so if you are talking about whether a US company is going into a server in another country, in a lot of cases, that is illegal by their law."

Add in the fact that nation-states are increasingly behind cyber attacks, and it is apparent that stopping the range of cyber operations and criminal attacks is a complex topic, said FireEye's Porter.

Why government-led action is better

For that reason, government action should be preferable to private companies hacking back at attackers, Porter said. In 2015, following escalating attacks, US and Chinese government officials agreed not to conduct espionage attacks aimed at stealing intellectual property or targeting companies for economic reasons.

"What has actually been effective so far, but does not have the same emotional punch as hack-back, is diplomacy."
—Porter

That US-China agreement is a "narrow norm—in terms of international agreements—but one that has held up," he added.

While many countries continue to allow individuals to hack outside their borders—or at least, rarely pursue those who do—the US should not start down that road, said IBM Resilient's Schneier. "The U.S. is at a disadvantage, yes—just in the way that companies are at a disadvantage when others bribe," he said. "But we take the same strategy, such as sanctions, against those who do it."

"We need stronger international agreements that hack-back is bad."
—Schneier

State of Security Operations 2018
Topics: Security