SAN FRANCISCO—Surely all breached organizations consider hacking back as some means of response to being attacked and losing intellectual property. Thankfully there was a room full of lawyers at RSA Conference on Wednesday to remind IT pros of what a colossally bad idea that is.
Putting aside the illegality of hacking back for a second, there are many tentacles to such an action that not only put a company’s legal position and reputation at risk, but also threatens innocent third parties caught in the crossfire.
“The fallacy is that hacking back is going to solve your problems,” said Christopher Painter, State Department coordinator for cybersecurity issues. “Hacking back is not going to keep [attackers] from still having your IP. If smart attackers are behind your intrusion, they’re going to use proxies and other things to get at you. Hacking back means you’ll likely hit an innocent third party. You don’t get the benefit and you could cause legal and international harm in terms of the way you are perceived.”
Paul Rosenzweig, founder of a homeland security consulting firm called Red Branch Consulting, said that part of the problem is that state-sponsored espionage and theft of intellectual property is treated like a legal problem, when it truly is a policy issue. He points out that there are criminal laws against IP theft on the books of every nation accused to state-sponsored espionage for commercial benefit. Yes, including China. Prosecution across borders, however, is notoriously difficult, though there has been increased cooperation in the takedown of not only big botnet operators, but also profitable cybercrime groups abroad.
“It’s not as though it’s not a crime,” Rosenzweig said. “It is a crime to steal American intellectual property for economic gain if you are a Chinese national. The laws don’t help, which suggests the law portion of this argument is inadequate.”
Painter said that the agreement between the Obama administration and the Chinese government to end the practice of stealing IP last September was important because it creates a standard of accountability and a norm—in other words, a win on the policy side.
“It goes a long way toward creating an international standard of conduct,” Painter said. “They have to live up to it, but it creates accountability.”
The experts said that’s why it’s important to allow this to play out in the policy arena and not extend this to supposedly one-on-one confrontations in cyberspace.
“For one thing, you don’t know what kind of reaction you’re going to get back. You’re punching an opponent you can’t see who may be much larger like a nation state,” said Mark Weatherford, a longtime security pro with stints at the state government and Homeland Security levels on his resume. Weatherford said smaller companies aren’t adequately resourced to hack back, and don’t understand the unintended consequences. “It can create serious consequences for a security pro to take matters into their own hands. Most CEOs and general counsels, when they hear about plans to hack back to recover IP, they are aghast at the thought of doing something like that.”
Rosenzweig shared a story of an unnamed organization that had hacked back and shared the likely identity of their foreign intruders. The attorney quickly beat back their enthusiasm, pointing out that since they had a presence in the allegedly offending country, they had broken that country’s law and U.S. law.
“Their forensic work was good but they were in a legal box they could not get out of,” he said. “It was illegal in their target country and they broke American law. They disabled their chances of getting any assistance because it would have involved disclosure of their criminality. At that point it was about fixing the hole, letting it go and never speaking of this again. Because of their own ignorance of the law, they disabled their ability to respond.”