The dangers of hacking back

Last Thursday, Representative Tom Graves (R-GA) unveiled an updated version of proposed legislation to empower the private sector to hack back. He had previously asserted that such a bill could have prevented the recent WannaCry hack and empowered “individuals and companies to fight back basically and defend themselves during a cyber attack.”

WannaCry is actually the poster child for why hacking back is a bad idea. (And we’ll get to that in a minute.) That does not mean we don’t need legislation — in fact, WannaCry is just the latest example of why the United States needs a coherent and comprehensive cyber policy — but it does mean that Graves’ proposed legislation isn’t the answer.

In the new discussion draft of the Active Cyber Defense Certainty Act (ACDC Act) proposed by Graves, victims still are allowed to access an attacker’s network and undertake measures to disrupt unauthorized activity. As in the previous version, while victims are still not allowed to destroy any information they don’t own and are restricted from any action that could cause injury, they are still allowed to perform a wide range of activities while accessing unauthorized networks. Perhaps the biggest change in the new draft is that victims must notify the FBI before using these cyber defense measures. Greater information sharing and collaboration with the government is important, but the new draft only requires notification, not necessarily approval.

The introduction of ACDC 2.0 reflects the reality that sophisticated attackers are continuously targeting the private sector and will continue to do so as long as attacks occur without recourse. However, hacking back is not the solution. In speaking to a House Armed Services Committee, Admiral Mike Rogers shared his concern that this bill will be putting “more gunfighters out on the street in the Wild West.” Not only will these reciprocal attacks fail to meet an organization’s objectives, they are also likely to prompt many unintended, and dangerous, consequences.

Let’s consider the WannaCry attack from a technical perspective and apply a hacking-back mindset toward countering it. WannaCry is a worm unleashed via unknown means that propagated rapidly to unpatched victims. Recent speculation has tied the WannaCry attack to North Korean operators based on technical similarities in the malware with past tools attributed to North Korea. But attribution based on tools alone is dangerously error prone. Malware dumps like Shadow Brokers and Vault7, combined with commercial threat reporting, have made code readily available. It’s relatively simple for someone with moderate skill to bring code tied to a nation-state actor into their malware, knowing that researchers will grab onto that thread, pull it, and begin to draw conclusions. We’re not saying that’s what happened here, but deception and framing within code is plausible.

Let’s say it was North Korea, though. As WannaCry made extremely evident, too many organizations struggle with basics like maintaining patch updates. Most organizations lack the talent to go deeper with incident analysis and internal incident response and cleanup. Effective hacking back takes a whole separate set of skills and tools. Even assuming that talent is readily available or brought in via contracted expertise, how would one go about targeting North Korean cyber actors in this case? WannaCry didn’t include command and control or exfiltration servers, which leaves a lot of ambiguity regarding who or what to hack back. Because of this, any claim that ACDC would have helped prevent WannaCry is highly questionable.

Let’s put that aside and consider a more general case. Assume this was a targeted attack with command and control and exfiltration servers, and upstream compromise of an intermediary computer is achieved. Then what? In cases involving data theft, the likelihood of destroying or rendering inoperable the only copy of your own data (which the ACDC draft seems to allow) is extremely low.

An additional distinction in ACDC 2.0 is the prohibition of any activity beyond reconnaissance “on an intermediary computer to allow for attribution.” An intermediary computer is defined as one that is not under the control of the attacker. However, what does control truly mean? Does that imply they legally own the computer or that they have “pwned” it? What about leased or ephemeral infrastructure in the cloud? Also, many attacks contain additional nodes that often serve as decoys and hinder attribution. How far back can the private sector entity go? There is no way the entity hacking back will know they’ve entered territory authorized by the act until they are there, and even then, it may not be obvious.

In short, the results of hacking back seem at best ineffective and at worse could lead to shaking up the hornet’s nest and potentially overstepping the ACDC, likely leading to more severe consequences than the original hack.

Attribution is not only a technical problem, but a geopolitical one too, which could be extremely asymmetric in favor of the attackers. An organization — even one with significant resources devoted to security — has little chance against North Korea’s Unit 180, Russia’s Apt 28, or China’s PLA Unit 61398. Instigating tit-for-tat retaliation with such a group is a losing proposition.

Moreover, cyber attacks are just one form of digital response that these groups could use in response to a hack back. As we saw last year, cyber attacks can be very successful when part of a larger information campaign that includes disinformation, automated social bots, as well as data theft, dump, and manipulation. When a company hacks back, even if they’ve accurately attributed the source of the attack, they risk triggering retaliation not just from cyber warriors but also trolls, which can inflict widescale brand, reputational, financial, and even physical damage. And that doesn’t even touch upon potential responses outside of the cyber domain, such as targeted economic punishment or escalation of interstate tensions.

WannaCry certainly will not be the last cyber attack, and with each attack come new, reactive policies. These policies should not include arming the private sector with offensive capabilities; instead, they should encourage deterrence by denial within the private sector, including everything from strengthening defenses to incentives for adherence to secure frameworks to streamlining collaboration with the federal government.

As Senator John McCain (R-AZ) has frequently demanded, and most recently noted in his opening statement to the Senate Armed Services Committee, “the lack of a strategy and policy continues to undermine the development of meaningful deterrence in cyberspace.” WannaCry epitomizes why the ACDC Act is not this policy. Until a comprehensive policy and strategy are put forth, we will likely continue to see more reactive policies that may actually undermine security.

Andrea Little Limbago is Chief Social Scientist at Endgame.

Mark Dufresne is Director of Threat Research and Adversary Prevention at Endgame.