A gentler way to hack back

The quickest way to launch the cyber equivalent of a nuclear war is for the targets of cyberattacks to try to “hack back” against their tormentors.

Or, maybe not.

The debate over that has raged for decades, with a majority of security experts arguing that the difficulties of attribution and the dangers of escalating retaliatory counterattacks make hacking back a losing proposition.

But what if it didn’t involve trying to corrupt or destroy an attacker’s network? What if it wasn’t exactly “kinder,” but was a bit “gentler,” involving intermediate-level responses like so-called “naming and shaming” of perpetrators, or blocking access to U.S. markets of foreign companies that benefit from cyber espionage?

A recent paper by father and son, Jeremy and Ariel Rabkin, titled “Hacking Back Without Cracking Up,” seeks to make that case – that it is not only possible to hack back (what some call taking “active defense” measures) without prompting a catastrophic cycle of retaliation, but necessary given that annual losses to American businesses from criminal hacking were estimated at $100 billion two years ago and has increased since then.

They cite former National Security Agency (NSA) head Gen. Keith Alexander’s declaration in 2012 that the cybertheft of U.S. intellectual property is, “the largest transfer of wealth in world history,” as evidence that the status quo is unacceptable.

Even more compelling, they say, is that government has not demonstrated the ability to protect private-sector intellectual property.

They contend that passage last year of the Cybersecurity Information Sharing Act (CISA), “vaguely refers to ‘defensive measures’ but neither authorizes nor prohibits actual hack-back tactics. In brief, more talk, no more action.”

This, they wrote, has apparently left the Obama administration, “intellectually exhausted by its effort to assure everyone it is taking the problem seriously – without offending anyone.”

The father and son go to considerable lengths to distance themselves from supporting lawless, Wild West-type counterattacks by proposing that the response be done not by the victims, but by hired professionals – forensic cyber experts with government-approved law enforcement certification, so the retaliation will be measured and much more likely to be against the actual perpetrator.

They cite the cybersecurity firms CrowdStrike and Mandiant, which in 2014 “outed” different hacking groups affiliated with China’s People’s Liberation Army.

The senior Rabkin, a professor at George Mason School of Law, and his son, a software engineer at Cloudera, liken it to a retail store hiring security guards, who have some law enforcement authority against shoplifting or other criminal acts.

In a podcast interview with Stewart Baker, former NSA general counsel, former assistant secretary for policy at the Department of Homeland Security (DHS) and now a partner at Steptoe & Johnson (and an outspoken hacking back advocate), they argued that merely exposing perpetrators could be an effective deterrent – perhaps even spur the federal government to more aggressive action.

“You might say this isn’t going to have a big effect on China or Russia or Iran,” Jeremy Rabkin said, “but it’s worthwhile if it just raises the profile of these concerns to the government.”

“If a company could say, “We know who’s doing this. Here are their names and addresses. By the way, here’s his sister, his girlfriend, here’s his mother – you now have all this information and you put it on a website. I think it would be harder for government to shrug this off in the way that it has,” he said.

The two say that besides exposing foreign hackers’ personal information, the U.S. government could take other measures short of cyber retaliation – denying travel permits, denying access to the U.S. banking system, imposing commercial sanctions on firms that do business with the hackers or even suing companies that get trade secrets from hackers.

They say they know their proposal is not a “panacea,” but they say it is a starting point.

The timing of their paper is interesting, to say the least, since it was published by the Hoover Institution about a month before Wikileaks published a trove of emails from the Democratic National Committee (DNC) – an event that has even outspoken opponents of hacking back calling for the U.S. government to impose some kind of retribution against the hackers who stole the documents.

Russian hackers are widely suspected, although that is still being debated.

Whoever did it, hacking back opponents like Bruce Schneier, CTO of Resilient Systems, have called for retaliation. In a blog post, Schneier called it, “an attack against our democracy,” and said the U.S. should confront the perpetrators and, “make clear that we will not tolerate this kind of interference by any government.” He did not specify how he thought the U.S. should make it clear.

However, calling for government to retaliate against a state-sponsored attack is not an endorsement of the private sector doing the same thing, even at a “moderate” level.

Dmitri Alperovitch, cofounder and CTO of CrowdStrike, even though his firm’s outing of a Chinese hacking group was cited in the Rabkins’ paper as an example of what they advocate, was brief and blunt. “CrowdStrike does not hack back and does not support such activities,” he said.

Robert M. Lee, cofounder and CEO of Dragos Security and a former U.S. Air Force cyber warfare operations officer, was also unconvinced. He first objects to the use of the term “active defense” when describing hacking back. “Active defense is not hacking back,” he said. “It’s a misunderstanding in the community that’s been pushed out by media reports and isn’t the actual strategy.”

Lee, who has lectured and written extensively on securing networks and teaches a SANS course on active defense and incident response, contends that the reason so-called “traditional defense” is failing is because, “we don’t do traditional defense.”

He argues that security begins with architecture and what he calls passive defense, and said that, “if you don’t know your network, there’s no way to defend it. The adversary is going to learn what you have, but if you already know that, you’re two steps ahead of them. I’m not saying it’s easy, but it’s doable.”

Beyond that, he said the “cycle of active defense” involves the use of threat intelligence, asset identification and network monitoring, incident response and threat and environmental manipulation.

This, he has written, may involve counterattacks, but, “only inside the defended area and against the capability, not the adversary.”

He likened it to ICBM defense, where the goal is to destroy missiles, not people or cities.

Beyond all that, however, he said hacking back, “is an extremely inappropriate usage of resources. It doesn’t return a lot of value.”

Ariel Rabkin, in an interview, said while he agrees that good architecture improves security, the reality is that it would be very expensive to fix the security flaws in large systems.

“In many cases, changing the architecture of a computer system means rewriting it entirely,” he said. “This is very expensive, takes a long time, and incurs all sorts of additional technical risks.”

The cost of a hack back, he said, “does not depend on the complexity of the system being defended. It depends on the intruder’s level of talent and the robustness of their systems. As a result, there should be some crossover point where it becomes cheaper to hit back than to strengthen one’s passive defenses.”

But Anthony Di Bello, director of strategic partnerships at Guidance Software, said he thinks it is both infeasible and very risky to “deputize” expert civilian security vendors to hack back against suspected attackers.

He acknowledged that the U.S. government has accused hostile nation states (China, North Korea, Iran) of specific attacks, but said he doesn’t think the private sector has that kind of capability, and should not be given law enforcement powers.

“Getting attribution down to the level of identifying a specific individual? I don’t believe many, if any corporations have the technology or skillsets to do that in a repeatable, defensible manner,” he said. “It’s way too easy for attackers to spoof the source of their attacks.”

And he said the escalation risks from hacking back don’t need to be violent to be damaging. “It could result in strained trade relations, disrupt other political negotiations that are ongoing or introduce a lack of trust in technology that my country exports,” he said.

He agreed that government should do more to deal with cyber crime, but said he still believes that, as is the case with other types of crime, private citizens can’t take the law into their own hands.

“If I found evidence that a specific person broke into my house yesterday, am I able to go to that individual’s place of residence and take action? No. I must engage the relevant law enforcement agency,” he said.