What is “hacking back”, what are its advantages and disadvantages, and what role does it play in cyber defence?
Hacking back is “the ability to counterattack with offensive capabilities” (Jayaswal et al. 2002). It involves victims of an attack moving out beyond their network (Couzigou, 2020, p. 485) and retaliating to, rather than just preventing an attack, becoming the aggressor as they company strike back at attackers (McGuigan, 2019, p. 2). Hacking back could include: tracing live attacks back through intermediaries to the source; using ‘beacons’ to track the attacker in the way marked cash is used to track stolen cash (Lindsey, 2019); data recovery (McGuigan, 2019, p. 2) or destruction (Bloch et al., 2018, p. 8); at the most active end, organisations may counterattack, disabling the threat’s infrastructure (McGuigan, 2019, p. 2).
Proponents claim that it can serve the purpose of disrupting a threat in motion and identifying it with a view to prevent future attacks (Lindsey, 2019). Some argue that with accurate threat identification and in the absence of government action, that any response is reasonable (Bloch et al., 2018, p. 10). Detractors raise concerns about two main issues, these are inaccurate identification of a threat and the legality of attacks (Jayaswal et al., 2002). This could lead to retaliation against innocent intermediaries or escalation with states or other organisations and even leading to questions of the legitimacy of the state (Couzigou, 2020, p. 502).
Comparing Jayaswal et al. (2002), Bloch et al. (2018), McGuigan (2019) and Couzigou, (2020), the issue of hacking back appears to have remained unchanged for 20 years.
In Australia the preference for a government, rather than private, response (Bloch et al., 2018, p. 9) is reflected in the Cybercrimes Act 2001. It outlines penalties for a variety of actions considered hacking back, including unauthorised modification of data and impairment of electronic communication (Cybercrimes Act, 2001). In other parts of the world, hacking back is also considered illegal in the European Convention on Cybercrime as well as by G8 members (Couzigou, 2020, p. 493).
An emerging exception to this trend is in the USA, where hacking back is currently illegal under the Computer Fraud and Abuse Act (CFAA). In 2019 the Active Cyber Defence Certainty (ACDC) Act was re-introduced which would allow the use of qualified hacking back (Lindsey, 2019).
My initial response to private hacking back was approval, but that has changed. I will borrow Allhoff & Henschke’s (2018) approach of looking for analogies in other fields with a physical one: would we condone a person chasing a burglar through other peoples’ properties – potentially damaging that property – back to their house and burning it down to hinder burgling again? I would not, even with accurate attribution and tracking, the risk of harm is too great and desired outcomes not assured.
Returning to the cyber domain, hacking back could create a cyber “wild west” with too many actors with not enough oversight or governance (Jayaswal et al., 2002). Under social contract theory, security is the role of the state not private entities (The Ethics Centre, 2016), legal hacking back could potentially “put into question the role of the State and of the rule of law” (Couzigou, 2020, p. 502).
When considering the risk of incorrect attribution, collateral damage and the threat to the social contract, I agree with most Australians (Bloch et al., 2018, p. 9) and do not want to live in a world where private entities are free to pursue vigilante cyber justice, where they could potentially harm innocents, damage state relationships and put the structure of our society at risk.
References
Active Cyber Defense Certainty Act, no. H.R.3270, 116th Congress (2019). https://www.congress.gov/bill/116th-congress/house-bill/3270
Allhoff, F., & Henschke, A. (2018). The Internet of Things: Foundational ethical issues. Internet of Things, 1–2, 55–66. https://doi.org/10.1016/j.iot.2018.08.005
Bloch , V., & Smith, G. (2018, October 17). Pulse: The hack back: The legality of retaliatory hacking. Allens. https://www.allens.com.au/insights-news/insights/2018/10/pulse-the-hack-back-the-legality-of-retaliatory-hacking/
Bloch, V., Peach, S., & Peake, L. (2018). Valeska Bloch, Sophie Peach and Lachlan Peake. Communications Law Bulletin, 37(4), 8–1.
Burgess, M. (2018, October 29). Then and now – coming out from the shadows. ASPI National Security Dinner. https://www.asd.gov.au/publications/director-general-asd-speech-aspi-national-security-dinner
Couzigou, I. (2020). Hacking-Back by Private Companies and the Rule of Law. Heidelberg Journal of International Law, 80(2), 479–509.
Cybercrimes Act, (2001). https://www.legislation.gov.au/Details/C2004C01213
Jayaswal, V., Yurcik, W., & Doss, D. (2002, June 8). Internet hack back: Counter attacks as self-defense or vigilantism? IEEE 2002 International Symposium on Technology and Society (ISTAS’02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293). http://dx.doi.org/10.1109/istas.2002.1013841
Lindsey, N. (2019, July 10). Return of the “Hack Back” Active Cyber Defense Bill Has Cybersecurity Experts Worried. CPO Magazine. https://www.cpomagazine.com/cyber-security/return-of-the-hack-back-active-cyber-defense-bill-has-cybersecurity-experts-worried/
McGuigan, A. (2019, August). Hacking back: Justifiable or vigilantism. ProQuest. https://www.proquest.com/docview/2316055855?fromopenview=true&pq-origsite=gscholar
Taddeo, M. (2019). Is cybersecurity a public good? Minds and Machines, 29(3), 349–354. https://doi.org/10.1007/s11023-019-09507-5
The Ethics Centre. (2016, August 31). Social contract theory – Ethics explainer by the ethics centre. The Ethics Centre. https://ethics.org.au/ethics-explainer-social-contract/
