How would you react if you were the CEO of Target in 2013 or

How would you react if you were the CEO of Target in 2013 or the Director of the Federal Government’s Office of Personnel Management (OPM) in 2015 at the time that their respective data security breaches were discovered? Is it ok for a victimized organization or government agency to hack back and what are the dangers?

Solution

I will not hack back until…

A) Not to hack back: it’s illegal:

The very angry people in the room, maybe those who are being, or have been, victimized by criminal hackers, might want to say: “Stuff the law, we won’t get caught, and if we do, the public will be sympathetic; law enforcement will take it easy on us.” I respectfully suggest that public sympathy is little comfort if you are convicted of a crime, or face court ordered restitution costs for the collateral damage your counterstrike caused. Even in the realm of physical encounters, the legality of striking back is complex and dependent on a wide range of factors, any one of which might put you on the wrong side of the law.

B) It leads to a dark place:

Surely it is better to channel the anger and outrage over being hacked into lobbying for a bigger and better law enforcement response to cyber crime. Clearly, the current state of affairs in unacceptable. Two of the five largest American retailers get seriously hacked but nobody gets arrested. Tax identity thieves rake in $5 billion yet the IRS budget gets cut. Clearly, there is plenty of room to improve law enforcement before we resort to outsourcing cyber-aggression.

C)  Known unknowables:

Anyone who has followed the saga of the Sony Pictures hack will know how hard it is to know who is attacking you. While the FBI says it was North Korea, there are plenty of security experts who are skeptical of that claim. Some signs point to insiders, or Russian-speaking persons, or “the Chinese”. A group called Guardians of Peace claims it was them, but who are they? The technical term for this mess is: the attribution problem. It is a very tough problem to solve, but here’s the thing: it is a known problem, which means you may not get much sympathy if you hack back at the wrong person because you messed up the attribution. To put this another way, if you have enough evidence to prove who is attacking you, why not hand it over to law enforcement and have them take legal action? A lot of folks in law enforcement would love to bring an ironclad criminal hacking case to court.

D) It doesn’t solve the problem:

Suppose you do know exactly who has hacked into your network and you hack back at them without causing collateral damage. What have you gained besides a righteous sense of satisfaction? Are you sure that’s the end of that threat? What have you done to stop someone else attacking you? I think some organizations entertain a scenario in which their counterstrike capability earns them a reputation as the guys with whom you do not mess. That scenario assumes all criminal hackers are rational actors, a very dangerous assumption given the history of hacking.