Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Hack back, jack?

by Jay Heiser  |  March 20, 2013  |  1 Comment

It would be the rare soul indeed, who, after spending hours or even days cleaning up from a hack, didn’t feel the strong red rage of revengeful urges. And how many PC owners or site managers, still recovering lost data, time, and pride, if presented an opportunity to strike back at their attacker, to make that anonymous bully feel the same pain themselves, would not be sorely tempted to undertake an act of violence and coercion themselves?

The idea that the victim of a computer crime might not only attempt to traceback the attack, but also to attempt some form of retaliation, is hardly a new one. Its a Gibsonesque theme that resonates through decades of cyberpunk novels. But it is the case that the volume of discussion around the topic has been ramping up, a form of legalistic debate that is probably indicative of the underlying smoke of mysterious attacks, and even more mysterious hackbacks. Now that the topic has been discussed in the hallowed halls of the US Congress, its more than ever likely to become a topic not just for the family dinner table, but for the corporate policy committee, and of course the national government.

It seems that the act of responding in kind to a computer attack is technically illegal in the USA—as it is in many places in the world.  This is not something that has been widely tested through case law, and as a general legal principle, the right to self defense is widely recognized. But its a can of legal, practical, and moral worms.

Hackbacks are nothing new. Whenever value must be protected in an unregulated competitive system, individuals are economically incentivized to take the law into their own hands. Just as drug lords defend their honor and turf through physical violence, some cybercriminals resolve their disputes on servers with obscure domain names. Sometimes, a spammer, vandal, bot master, or criminal hacker has the misfortune to attack someone with the skills and personality necessary to respond in kind. This has literally taken place for decades, out of site, and out of mind for the overwhelming majority of Internet citizens.

As the impact of cyber crime continues to grow, it seems to inevitably lead to greater discussion about what to do about it.  Historically, when populations become fed up with coercion and violence, they band together to promote self protection.  Depending upon the degree of frustration, Neighborhood Watches can evolve into posses and even escalate to vigilantism. We are already seeing a form of that today with the self-styled Robin Hood approach of the loosely formed network army that refers to itself as Anonymous.

Without taking a stand on either the legality or appropriateness of hackbacks, I’m confident in saying that conducting reverse hacks is more than impractical for the overwhelming majority of Internet victims, and the potential for collateral damage to other hacking victims is extremely high. But I’m also confident in the expectation that as the feelings of digital victimhood continue to grow, the response will be demands for dramatic protective action.  I really don’t know what form that will take, but the coming decade is likely to be an interesting one for both cops and robbers.

1 Comment »

Category: Policy risk management security     Tags: , , , ,

1 response so far ↓

  • 1 Anton Chuvakin   March 22, 2013 at 6:36 pm

    >It seems that the act of responding in kind to a computer attack is
    >technically illegal in the USA

    Are you positive that responding in kind against the computer NOT in the US is illegal? What is the legal reference for that?

    Most US laws on the topic [I’ve seen] cover “US computers”……