I’ve been meaning to write this literally for years. But now all this hoopla around “Active Cyber Defense Certainty Act” [PDF] (aka “the Hackback Law”) has triggered me into action.
Let’s start from the obvious – hilarity will ensue:
OMG, people are *seriously* debating this new hack-back law. So wow. Refer the dude to the insane asylum and be done with it 🙂
— Dr. Anton Chuvakin (@anton_chuvakin) May 23, 2017
So, yes, we can all make fun of it (yo ho, AC/DC is now law!) of course. However, this is not about how difficult, funny, ethically-questionable it may be.
This is about how USEFUL it can be. Perhaps my imagination is weak today, but I am having trouble envisioning the scenarios where any hack-back actually delivers value to the non-government defender. Frankly, all the scenarios I envision are kinda idiotic:
- They steal your data, and then you hack them, find the only copy they have and delete it (because hackers never back up and can never hack you again?)
- They send you malware, you find them and send them … 1] the same malware 2] different malware 3] fake malware just to scare them?
- 1] They DDoS you, you DDoS them. 2] ???? 3] Profit!
- They hack you and get your corporate secrets, then you hack them and …. steal theirs? dox them? format their machines? All sound very iffy….
- They hack you and plant a logic bomb (BTW, I cringe when I write this!) on your ICS systems, you hack them and actually destroy their ICS electrical systems, thiniking if they don’t have electricity they cannot hack. Sadly, they decide to nuke you 🙁 since they liked their electricity. Boom!
- Perhaps, they hack you – you hack them, and install a beacon on their laptop/phone. When the device beacons from a country where your government can arrest them, you call dispatch_fbi_team(location) API and they get arrested within minutes?
So, help me out. Ethics and attribution challenges aside, what are the cases where “hacking back” will be:
- actually useful to the enterprise, and
- more useful than the alternatives (get a better firewall, hire threat hunters, etc)
Otherwise, I feel the inherent asymmetry of “cyberspace” attack and defense kicks in and derails my thinking 🙂