During a recent cybersecurity competition, teams of students conducting a mock exercise unintentionally caused the U.S. to start a (fake) war. The students were given a variety of options, including diplomatic ones, for responding to a cyberattack by China. The majority of them took an aggressive approach, known as “hack back,” with disastrous consequences. The mock exercise shows how tempting it is to launch a counterstrike in response to a cyberattack — and the potential for significant unintended consequences.
Why Companies Shouldn’t Try to Hack Their Hackers
Proposed legislation in the United States would make it legal for businesses and individuals to “hack back.” Sometimes called counterstrike, hack back is a term for when an organization takes offensive action to pursue, and potentially subdue, cyberattackers who have targeted them. Proponents of hack back argue that the same principle should apply as that which allows homeowners to defend themselves against an intruder, even if it harms them. But for several reasons, such an authorization could cause even more damage and have unintended consequences. To start, it’s very difficult to identify cyberattackers. Innocent people could instead be targeted. Even if the source of the attack is properly attributed, it’s difficult to isolate harmful actions. After all, computer systems are interconnected. It’s also hard to understand the attacker’s motivation and determine a proportional response. Furthermore, hack back would require expensive tools and expertise that could put some companies at an extra disadvantage. Finally, the implications of damaging computer systems across borders raises regulatory and legal nightmares. Legitimizing vigilantism by legalizing hack back would be a step back given the substantial risks and dubious benefits.