Counter-hacking: Globally offensive, or worth a go?

hacker / hacking - crime / breach / phishing

Cybersecurity budgets in Asia are growing fast – more than 25% per annum in China, and around 20% per annum in parts of South-East Asia. And that’s a welcome sign, because the array and volume of threats faced by businesses both in the region and worldwide continues to grow faster than most IT teams can handle. That’s prompted some businesses to reconsider a not-so new approach to cyber defence: hacking the hackers.

Counter-hacking, or “hacking back”, involves exactly what it sounds like: organisations launching cyber counteroffensives against malicious actors who attack them. The concept not only makes sense on a fundamental level whereby “the best defence is a good offense”. It’s also increasingly supported by various factions of policymaking and academia, so much so that the US Congress is considering a bill to legalise counter-hacking – the Active Cyber Defence Certainty Act, also known by its electrifying acronym of ACDC – for a second time after its first attempt fell through. With that sort of momentum, should counter-hacking play a greater role in the cybersecurity strategies of businesses in Asia?

Counter-hacking can easily short-circuit the system

The simple answer is no – most of the time. Counter-hacking remains a legally gray area at best in most Asia Pacific jurisdictions, and definitively prohibited in certain countries like Australia. Apart from exposing organisations to potential litigation, hacking back also runs the risk of interfering with other, legally-sanctioned enforcement actions being taken against malicious actors – like those conducted by police forces or other arms of government. And it risks triggering further reprisals from cybercriminals themselves, sparking costly digital conflicts that most organisations will struggle to extract themselves from. Generally speaking, the same rules apply to hacking back as to vigilantism more generally: it may sound good – and feel great – but it ultimately encourages greater chaos for the entire community.

That said, there may be certain instances where counter-hacking makes sense and benefits organisations’ “herd immunity” against cyber threats. Some researchers point out that counter-hacking, like arming cargo vessels against pirates, does offer a powerful deterrent against rampant criminal activity, particularly in regions like Asia where legal provisions for cybersecurity are relatively porous. And counter-hacking has been employed relatively safely in the past, most notably by Sony when it launched DDoS counterattacks against pirates who hijacked troves of unreleased movies and other sensitive data from their systems. It’s hard to say how effective such hack-backs have proven, but they do appear to present something of a deterrent to cybercriminals looking for soft targets.

ACDC Bill notwithstanding, organisations in Asia Pacific should only consider counter-hacking if they’re unlikely to be thunderstruck by any unforeseen consequences. That means employing trustworthy and reliable security professionals to support any potential counteroffensive – not always easy, given the most proficient individuals typically bring with them a history of operating on the fringes of hacking ethics. It also means consulting relevant government agencies beforehand, a process that should not only clear up questions of legality but also potentially provoke authorities themselves to take action on the organisation’s behalf. Finally, IT leaders should only seriously consider counter-hacking as a measure of last resort – when traditional measures prove insufficient, and the threat posed by the hackers far outweighs the potential risk of reprisals or lawsuits.

Defuse the threat, save the day

Instead of focusing on counter-hacking as the tip of their cybersecurity spear, IT leaders in Asia Pacific would do well to invest their growing budgets in tighter monitoring and risk management. There’s a common mantra within the IT community of the “not if, but when” principle when it comes to handling data breaches. When they assume that breaches have happened and will happen again, IT teams radically shift their posture on cybersecurity to monitor applications and infrastructure, analyse and reduce their threat surface, and develop processes to respond to any successful hack. That, more than any strategy of retaliation or futuristic technical defences, makes them more resilient in the face of any cyber threat, no matter how sudden or complex.

Investing in vulnerability assessments, deploying monitoring solutions, and writing rulebooks for what to do when a breach occurs may seem far less glamorous than launching counter-offensives against hackers in exotic locations. It can also involve significantly more commitment of time and resources in the long run. While some IT teams will manage on their own by purchasing different tools and platforms, others may also turn to MSPs who specialise in security services. Ideally, such MSPs should hold not only strong cyber credentials, but also familiarity and experience with the widely varying legislative and technical conditions across Asian markets.

To date, no company has been prosecuted for counter-hacking – and not necessarily because it doesn’t happen. While Congress mulls over the ACDC Bill once more, the sentiments of another showman remain more relevant: “the first rule is, you don’t talk about hacking back”. That said, equipping organisations with the tools to defuse any threat – rather than hunting the perpetrators themselves – should remain the top priority for any organisation looking to consistently come out on top in modern cyber-warfare.


Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?