It’s an old story. A band of outlaws goes after an innocent village. Unable to defend themselves against the threat, the villagers hire a band of brave gunslingers to defeat their foes. Or perhaps they hire samurai, or wizards, or a giant robot. The characters change, but the story remains the same.
The old story plays out everyday online, where hackers launch multiple attacks on corporate networks. The Ponemon Institute — the cyber security think tank that sounds like a Pokémon — reports 51 percent of company networks receive daily or hourly malware attacks.
Companies usually take a siege mentality to malware attacks, bolstering their defenses and trying to stay one step ahead of attackers. An increasing number, however, take the villagers’ approach, and hire virtual muscle to hack back at their attackers.
Hacking Back — Tempting, but Illegal
On one level, hacking back sounds like a great idea. The company can retrieve lost data and disable the hacking network. A “hack-back” could use the hacker’s computer camera to take a photo of the crook, and launch counter-malware to neutralize threats.
Just one problem though — U.S. federal law prohibits any unauthorized intrusion. Hack back and you’re as guilty as the original hacker. Even so, some companies see hacking back as a way to avoid publically announcing a data breach, even if it means violating the law.
Third Party Damages
In addition to being illegal (at least in the United States), back-hacking runs the risk of collateral damage. Hacking networks often include large numbers of infected third party computers.
Let’s say I clicked on a bad link, introducing malware into my computer or CMS. My machine becomes part of a botnet of thousands of similarly infected machines. While I’m typing “What is a probiotic” into Google, the hacker uses the botnet to breach a company’s security.
Striking back, the company releases a counter-virus to disable the computer network, defeating the nasty hacker and possibly bricking my infected computer in the process. If word of the counter-hack is leaked, I — and thousands of other people — could bring criminal charges against the counter-hacker, who gained unauthorized access to our machines.
Government Policy and Back-Hacking
Think-tanks are somewhat divided on back-hacking. Hacking costs American businesses billions in stolen information every year, making it a matter of national security as well as corporate losses.
The Commission on the Theft of American Intellectual Property suggests private companies should be able to retaliate against cyber attacks, although it stops short of encouraging such behavior and reminds companies of current legal restrictions.
On the other side of the debate are people such as James Lewis, director of the Center for Strategic and International Studies’ technology and public policy program. Lewis notes widespread back-hacking would make cyberspace less stable, defeating international attempts to make online life safer.
Lewis also notes most companies lack the skills to launch effective back-hacks. After all, if your company’s cyber security couldn’t protect you, you probably lack the resources and skills to back-hack.