At a recent senior-level cyber summit, the National Security Agency’s director of cybersecurity rebuked growing interest from companies wanting to assist in retaliating against cyber attackers and hacking groups targeting the private sector. Clearly, the pervasive cyber threat environment continues to drive this desire, as cyber attacks from sophisticated cybercrime gangs, nation states, and politically/ideologically motivated hacktivist groups successfully wreak havoc on the private sector. While there have been notable law enforcement and other government successes against these threat actors (e.g., cybercrime forum takedowns, indictments of foreign nations tied to nation state governments, and disruptions of state-tied cyber operations), the fact remains that they are too little to stem the barrage of hostile cyber activity coming from the diverse cyber threat actor ecosystem. Like any game of whack-a-mole, eliminating one threat only gives away to several others, making it difficult to make a significant impact against the ongoing onslaught.
The appeal for the private sector to “hack back” and gain some semblance of revenge against their adversaries is not new. In May 2013, a private commission on intellectual property theft raised the idea of changing laws in order to allow private sector companies to hack back against attackers, though it stopped short of formally endorsing this controversial position. This sentiment of being able to reach back at a cyber aggressor seemed to gain traction with at least one private company as with former senior intelligence officials like Michael Hayden who intimated that the private sector would stop having to rely on the government and take up its own “cyber” arms against cyber threats attacking their enterprises. Though companies providing hack-back services have not yet materialized, there are several that sell technologies and other offerings that thrive in the “gray area.” The NSO Group, Gamma International, and the Hacking Team and the promulgation of the global surveillance industry reveal the interest for such offensive technology, even if it falls just below the threshold of being labeled an attack.
Laws and Consequences
Yet despite a growing appetite for offensive capabilities, current U.S. law prohibits the private sector from conducting such retaliatory activities, granting that power to the government and a select group of contractors that must comply with strict oversight of their activities. This has prompted the U.S. Congress to initiate legislation that could rectify this problem with two notable bills, one in the Senate (S2292) and one in the House (Active Cyber Defense Certainty Act), both of which address the possibility of letting the private sector get into the cyber fight. Currently, neither one has gained much traction. With the increased role of hacktivist targeting of private sector entities in geopolitical conflicts like Ukraine and now the Middle East, these bills may be stirred from their legislative slumber.
Potential consequences remain a significant obstacle that has kept privatizing cyber attack reprisal in check. When Hayden suggested the potential utility of privatized defense activities, he referred to a company possibly providing such services as a “digital Blackwater.” The choice of reference may seem more fitting than not, as Blackwater quickly fell under scrutiny after its role in the 2007 Nisour Square massacre in Iraq, culminating in the trial and conviction of four of its employees. This certainly questioned the validity of such assets, a concern that only exacerbates if they can operate without strict oversight and accountability. In the digital domain, where finding ground truth is an enduring process that is not always realized or achieved, the potential for situations to worsen is only amplified.
Cyberspace is marred with layers of complication when it comes to attribution, legal jurisdiction, the role of proxies and for-hire actors, and proportional responses. It’s difficult for governments to get it right, and it’s quite evident that leaving retaliation up to the private sector can quickly become a slippery slope. Misattribution, collateral damage, misinterpretation of adversary intent, and escalation are all possibilities that the private sector may not be considering, and for which it is inadequately prepared. There is undoubtedly a feeling of punitive satisfaction in striking back, but such satisfaction can come at an unexpected price. It is not too far to think that a company could quickly find itself outmatched and outgunned and turn to the government for help after perpetuating a cyber conflict with a threat actor/threat group. This raises the question of what—if any—role the government would have or be responsible for should a private sector cyber attack lead to a cyber war. It makes sense that foreign policy should not be influenced or dictated by a single event against a private sector company.
What’s more, private sector entities allowed to conduct their own response actions raises the question of consistency across attack types, and what the criteria is for each. What is the proper cyber response for disruption? A breach? Stolen data? Failing to have prescriptive criteria based on measures like volume, impact, severity would allow for varying retaliation across all industries. Companies might respond too severely or not enough, thereby causing more troubles and digital chaos than is necessary or warranted. Such activities do not contribute to a solution as much as perpetuate the existing problem.
And of course, there is always the possibility of a more massive counterstrike from the original attackers. Shutting down an attacker’s server, disrupting operational infrastructure, or even exposing threat actor identities achieve limited effects. In today’s environment, is anyone under the belief that attackers have only one of everything, that they operate independently, and can be deterred with a hard digital slap? Based on the capabilities and resources of cybercrime groups like ALPHV and FIN7, hacktivist conclaves like KillNet, or the myriad of state actors conducting various forms of cyber disruption and destruction, any hack back could be met with prompt and severe repercussions. This level of concentrated effort against any private sector company could impact business operations, the brand, and client trust—all events that affect the bottom line. What kind of customers/clients would a company have if it’s known they are in an ongoing cyber conflict with a cybercrime gang and its affiliates? Probably, not many.
Frequently revisiting the feasibility of private sector hack-backs is disconcerting as each time it’s brought up, more progress appears to be made, especially with respect to the legislative aspect of it. As more responsibility and accountability are placed on the private sector (and correctly so) for protecting their enterprises, safeguarding data, ensuring privacy, and reporting breaches, it may not be that far fetched that they should be allowed to engage in the type of active defense the U.S. government has embraced as part of its overall cybersecurity strategy. Granted, there would have to be strict rules for engagement and perhaps even a channel for proposed cyber responses to be vetted by authorities, but continued deteriorating digital domain may ultimately prove to be too unwieldy to manage through international government cooperation and collaboration. However, this would be a grave mistake and ultimately may only serve to worsen the situation as private sector companies would invariably be left on their own to defend against ongoing reprisals from adversaries. More chaos benefits only those that are already operating outside laws and any rules of behavior. Moreover, non-state actors’ abilities to opportunistically conduct their activities via a confederation of global affiliates minimizes any effect against their operations.
But perhaps more telling, is that retaliation does not improve the cyber resilience of the private sector whose responses will be monitored by the bad guys in an effort to ascertain when and how they choose to respond to attacks, thereby giving them valuable insight into how they will conduct future attacks. The private sector needs to embrace that cyber resiliency is not a set it and leave it endeavor; it is an ongoing process, requiring constant diligence, and committed investment of time, personnel, and financial resources. This may not be a popular solution, but it’s one that’s needed and something that every organization can and should be doing for themselves.