Scot A. Terban is a security professional with over 13 years experience specializing in areas such as Ethical Hacking/Pen Testing, Social Engineering Information, Security Auditing, ISO27001, Threat Intelligence Analysis, Steganography Application and Detection. He tweets at @krypt3ia and his website is https://krypt3ia.wordpress.com. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
National Security Situation: A future where Hacking Back / Offensive Cyber Operations in the Private Sphere are allowed by the U.S. Government.
Date Originally Written: April 3, 2017.
Date Originally Published: May 15, 2017.
Author and / or Article Point of View: This article is written from the point of view of a future where Hacking Back / Offensive Cyber Operations as a means for corporations to react offensively as a defensive act has been legally sanctioned by the U.S. Government and the U.S. Department of Justice. While this government sanctioning may seem encouraging to some, it could lead to national and international complications.
Background: It is the year X and hacking back by companies in the U.S. has been given official sanction. As such, any company that has been hacked may offensively react to the hacking by hacking the adversaries infrastructure to steal back data and / or deny and degrade the adversaries from attacking further.
Significance: At present, Hacking Back / Offensive Cyber Operations are not sanctioned activities that the U.S. Government allows U.S. corporations to conduct. If this were to come to pass, then U.S. corporations would have the capabilities to stand up offensive cyber operations divisions in their corporate structure or perhaps hire companies to carry out such actions for them i.e. Information Warfare Mercenaries. These forces and actions taken by corporations, if allowed, could cause larger tensions within the geopolitical landscape and force other nation states to react.
Option #1: The U.S. Government sanctions the act of hacking back against adversaries as fair game. U.S. corporations stand up hacking teams to work with Blue Teams (Employees in companies who attempt to thwart incidents and respond to them) to react to incidents and to attempt to hack the adversaries back to recover information, determine who the adversaries are, and to prevent their infrastructure from being operational.
Risk: Hacking teams at U.S. corporations, while hacking back, make mistakes and attack innocent companies/entities/foreign countries whose infrastructure may have been unwittingly used as part of the original attack.
Gain: The hacking teams of these U.S. corporations manage to hack back, steal information, and determine if it had been copied and further exfiltrated. This also allows the U.S. corporations to try to determine who the actor is and gather evidence as well as degrade the actor’s ability to attack others.
Option #2: The U.S. Government allows for the formation of teams/companies of information warfare specialists that are non-governmental bodies to hack back as an offering. This offensive activity would be sanctioned and monitored by the government but work for companies under a letter of marque approach with payment and / or bounties on actors stopped or for evidence brought to the judicial and used to prosecute actors.
Risk: Letters of marque could be misused and attackers could go outside their mandates. The same types of mistakes could also be made as those of the corporations that formed offensive teams internally. Offensive actions could affect geopolitics as well as get in the way of other governmental operations that may be taking place. Infrastructures could be hacked and abused of innocent actors who were just a pivot point and other not yet defined mistakes could be made.
Gain: Such actors and operations could deter some adversaries and in fact could retrieve data that has been stolen and perhaps prevent that data from being further exploited.
Other Comments: Clearly the idea of hacking back has been in the news these last few years and the notion has been something many security professionals have said was a terrible idea. There are certain advantages to the idea that firms can protect themselves from hacking by hacking back, but generally the sense of things today is that many companies cannot even protect their data properly to start with so the idea of hacking back is a red herring to larger security concerns.