Letting Cyberattack Victims Hack Back Is a Very Unwise Idea

As the rate of cybercrime increases, so too does the intensity of those attacks. Now, companies like the UK’s Pervade Software are exploring new digital weapons with the goal of better protecting themselves and recovering stolen data. These include turnkey denial-of-service attacks and actions that damage the accused hackers’ computers and data. But taking advantage of tools more appropriate for a vigilante climate will have serious consequences for the health of the internet.



Greg Nojeim (@GregNojeim) is senior counsel at the Center for Democracy & Technology, a Washington, DC non-profit dedicated to keeping the internet open, innovative, and free. David Snead (@wdsneadpc) is a cofounder of the Internet Infrastructure Coalition, founded in 2012 to advocate for internet infrastructure companies.

When victims of malicious hacking turn the tables on their attackers in order to disrupt attacks or access to their attackers’ computer systems, that’s hacking back. For example, if an attacker hacks into a business’ network and steals data, the business may feel the need to punish the attacker or reclaim the data by disrupting the attacker’s system, or by breaking into their system and deleting stolen data. It’s an eye-for-an-eye form of justice.

And while this technique may seem unwise, not all lawmakers agree. Representative Tom Graves (R-Georgia) is circulating a bill called the Active Cyber Defense Certainty Act that would exempt victims of intrusions from current hacking laws, allowing them to hack an alleged intruder to recover stolen data, disrupt strikes, or gather information that would help identify the source of attacks. The bill is being shared with other members of Congress for comments and could be introduced this fall; at least one security firm executive has expressed support for the bill. But the hacking back at the heart of this bill is unworkable; unauthorized access to networks will never be a good idea.

Here’s the problem with retaliating: As many recent hacks have shown, it’s extremely difficult to identify the entities behind cyberattacks. Attackers cover their tracks by routing strikes through others’ computers, which makes hack-back attacks likely to be misdirected at computer systems belonging to innocent third parties.

Continue reading…