Letting Companies Hack the Hackers: What Could Go Wrong?

Photograph by Stephen Morton/Bloomberg

The idea of corporations using hacking techniques against cybercriminals has been a matter of contention in computer-security circles for years. The debate ramped up in the past week after an independent commission of former high-level intelligence, defense, and diplomatic officials suggested that U.S. corporations be allowed to use otherwise illegal hacking techniques to combat the hackers, some of whom are presumed to be at least loosely affiliated with foreign governments.

One tactic would be the use of software that would lock down a computer if it were used to open restricted files. In order to unlock the computer, a user would have to call law-enforcement officials to get a password. Certain unlucky consumers of online pornography might recognize this type of program as ransomware. Other ideas include using the camera of a hacker’s own computer to take his photograph and deploying software that would destroy computers or networks accessing information without authorization.

Similar tactics are being used by criminal hackers today. Some companies, likewise, have already started hacking back at hackers, according to people within the industry. But there are reasons to be wary of escalating this fight.

First, who knows if the corporate world would even be any good at hacking? Even security experts can find themselves outmatched by adversaries they assume are unsophisticated teenagers. When Aaron Barr of the security firm HBGary Federal boasted that he was going to unmask hackers involved in Anonymous, he quickly lost control of his company’s website, Twitter account, and personal e-mails. Retaliation by hackers backed by the Chinese government might involve more than lulz.

“In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People’s Liberation Army in China. This is not a contest American companies can win,” wrote James Andrew Lewis, a senior fellow for the Center of Strategic and International Studies.

It’s likely that any ham-handed action will blow up not only in the face of the company involved—with repercussions reaching the U.S. government as well. The country ratified the Budapest Convention on Cybercrime in 2006, which prohibits retaliatory hacking. International law aside, foreign governments might not be so receptive to the argument that hacking by private corporations is independent of government policy.

Further, it’s likely that any offensive action will never make it as far as some den of spies in the outskirts of Beijing. People attacking corporate computers are often doing so from machines they have infected, which are owned by unsuspecting people. Striking back against these machines will sometimes mean attacking people who don’t even know their machines are working on behalf of someone else.

Breaching infected computers to find out about an attacker would likely mean accessing the personal information of people who are unwittingly stuck in the middle, said Chester Wisniewski, an advisor with Sophos, a computer security firm. ”No one is going to come in and attack you with their name pasted on their forehead. It just doesn’t work that way,” he said. “Are you going to hack the University of Maryland just because someone took over one of their computers?”

Still, Wisniewski believes current laws force corporate victims of hacking to attempt responses with one hand tied behind their backs. He cites nondisclosure agreements that legally keep him from telling one client about the types of attacks that other clients have faced, leaving them vulnerable. Offensive tactics, he argues, are less important than loosening up restrictions on information-sharing through such legislation as the Cyber Intelligence Sharing and Protection Act. The bill seems to be getting a second wind in Congress this month, although it comes with its own set of controversies.

Shawn Henry, former executive assistant director of the Federal Bureau of Investigation and current president of Crowdstrike Services, another security firm, argues for a strategy he calls active defense. If offensive hacking is tracking down the people who robbed you and getting back at them, active defense is wasting criminals’ time by, perhaps, keeping fake jewels in your jewelry box and hiding the real stuff. His firm currently helps clients implement such tactics, which are distinguished from offensive hacking because they take place exclusively within a company’s own network.

Henry says that the uptick in interest in offensive hacking has muddied the waters between legitimate tactics and sexy, but wrongheaded, ones. ”We’re not going to hack back,” he said. “But we’re not going to sit here and passively block the blows.”

Before it's here, it's on the Bloomberg Terminal.