Hacking back is a wonderful, wind-swept idea, on the face of it. Private entities that find themselves under attack, can hack back, and take on their attacker.
It will come as no surprise that this idea is being actively discussed in the US and the American People are pretty excited about the plan.
Hacking back must be most appealing to the hundreds, if not thousands, of companies that have suffered ransomware attacks, which are nasty and make the whole issue of cyberattacks personal.
According to analysis from security group Sophos, the ways that ransomware attackers operate include extortion, blackmail, personal threats and warnings of follow up DDoS attacks if the target decides to try and avoid paying the ransom.
It is extremely stressful and makes you think that hacking back might be a decent form of justice.
The problem with hacking back, as Security Week explains, is that it can go very wrong. Companies can never be 100% sure of their adversary. Government security departments, such as the famous GCHQ in the UK, do not share information with private entities, so there will always be that small risk that the hack-back will target the wrong group. It is well known that hacking groups love nothing more than pretending they are someone else in order to ruin their day, too.
There is also the danger of escalation, where the attacker responds to the hack-back by piling on the pressure and attacking the target’s supply chain, partners, shareholders and customers.
Perhaps the biggest worry for the security industry is that allowing private companies to ‘have at it’ with gusto could possibly lead to disruption of ongoing investigations by the professionals, who are beginning to make some headway and are hacking back themselves.
In the last few months, Europol and other law enforcement partnerships have made good progress in bringing the bad guys to justice. Since February, five hackers linked to renowned ransomware group REvil have been hauled in. Meanwhile, the US has also brought charges against a Ukrainian and a Russian and seized $6.1 million linked to a ransomware group.
It may not sound like much, when you consider the bill for ransomware attacks this year. But it is a start.
The conclusion has to be that while hacking back sounds like a great idea and will fire up those who see it as defending their front yards, a more measured approach is probably more effective.
Education, awareness, information sharing and an alert attitude are the best defences against the dark arts and while they may not as exciting as hacking back, they should remain the priority for the foreseeable future.