Eric Vanderburg

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want to hack them back; take them out of the game and cease this never-ending battery of our systems.  This is especially tempting following a data breach.  Despite this temptation, most restrain themselves because of laws that prohibit the use of computer programs and systems to attack others such.  However, increases in damages and loss due to computer hacking has caused some to question this restraint.

At the 2012 RSA conference, Paul Asadoorian and John Strand proposed fighting back by frustrating hackers with systems that waste their time, tracking attackers, and then disabling them.    Unfortunately, many times attackers use other systems to perpetrate their attacks so the act of disabling their systems could take down a company that has no knowledge of the attack.

Some argue that since the systems used by attackers are vulnerable, they are contributing to the problem and that disabling those systems is simply part of the overall solution to make us safe.  The loss of availability for one company is a benefit to the community.

So far these arguments have focused on reacting to an attack but Symantec proposed taking it a step further in their article Malicious Malware: attacking the attackers.  They suggested stopping attackers before they issue an attack.  Some methods including distributing hacker tools that track the attacker to taking control of hacker botnets would put the hackers on the defensive.

There are people on both sides of the fence such some such as John Pescatore, head of Gartner’s Internet security practice and former NSA and Secret Service agent, doubting whether it can really help.  Pescatore says “There is no business case for it and no positive outcome.”  Others like cyberwar researcher Sandro Gaycken, believe that governments who have the sanction to attack back, have not been doing enough.  He believes hacking back can help and that it is justified.   Gaycken says, “Vigilantism could seem justified. It’s that way with self-defense: if the state is not there, and I’m attacked, I can hit back.”

In response to concerns about legality, Asadoorian and Strand recommended modifying system banners and warnings to include a statement that by accessing this system you agree that information such as location would be collected on those and that your system will be subject to a security check.  In this way, attackers would be allowing you to collect information on them and to run tools to analyze their systems.  However, attackers are not authorized to make such a decision on behalf of those whose systems he or she has compromised so statements like this may be of little value.

The debate is going on right now with serious cyber security discussions on whether hacking back should be officially allowed in the United States.  What are your thoughts?