Showing results for 
Search instead for 
Did you mean: 

Should Companies be Allowed to "Hack Back"?

Retired Webrooter

Should Companies be Allowed to "Hack Back"?

This is a debate that has been going on for years.  Should companies be allowed to "hack back" against malicious hackers?




From Forbes (full story in link):


Chris Rouland hasn’t spoken in public much since he created the secretive cybersecurity contractor known as Endgame five years ago. But he broke his long silence Wednesday to voice a request to lawmakers: Give government agencies and private firms more power to retaliate against those who hack them.


“I do think eventually we need to enable corporations in this country to be able to fight back,” Rouland told an audience Wednesday night at the Carnegie Council on Ethics in International Affairs in New York. “Let’s say someone takes ten million dollars in gold bullion [from you] and you call 911 and they don’t call you back for a week. When do you go get it ? Because for me it’s probably that night. And I think that’s a realistic metaphor of where corporations are today. They’re losing millions of dollars and it’s so challenging for governments to help them, I think we have to enable them to do it themselves.”


The notion of “hacking back,” sometimes described as “active defense,” has been hotly debated within the cybersecurity industry and in government. Some have warned that retaliatory hacking risks collateral damage against unintended targets, or even escalating a global cyber arms race. But a provision in the long-stalled Cyber Intelligence Sharing and Protection Act (CISPA) included a provision that would offer legal immunity to firms that engage in retaliatory hacking. Meanwhile, many companies aren’t waiting for legal exemptions: A survey by the security firm nCircle at the Black Hat security conference last year found that more than a third of the 181 respondents had engaged in hacking those who hacked them, and 13% said they’d done so “frequently.”


The survey that is cited is somewhat telling, but it should be taken with a grain of salt.  It was taken at Black Hat and was comprised of 181 attendees - most of which are hackers themselves or who have an interest in hacking.  Actual public opinion on this issue tends to be all over the place.  It didn't help the cause that the legal immunity that would have been granted to companies who engaged in retaliatory hacking was packaged into the extaordinarily unpopular CISPA bill.


On one hand, if a hacker steals your company's data, it's not as though you can pick up the phone and call the internet police.  There can be all sorts of legal difficulty in dealing with the perpetrator, and just finding him might prove to be more trouble than it's worth.  Even if you do find him, that does nothing to solve your hacking problem in the short term.  Maybe he's copied all of your data onto a remote server that you can see but can't remove without hacking back.  Or maybe you know for certain that your company only has a limited amount of time to do anything before the hacker gets away.  In that case, is it reasonable self-defense of a certain kind to hack back? 


But on the other hand, all that legal stuff is kind of important.  If exemptions to hacking laws are made available on the pretext that if somebody else hacked you first, it's ok to hack them, at what point do you have to actually prove that the original hacker actually hacked the victim to start with?  It seems like there's no presumption of innocence until proven guilty under such a scenario.  And what happens when internet vigilantism ends up affecting the wrong person?  A company might mistakenly hack back along a false trail and really make a mess of some innocent person's computer.


Is hacking back the solution?  And if it isn't, then what is?  Discuss!

/// JimM ///
/// Former Community Manager - Now Humble Internet Citizen///
/// Also Formerly a Technical Support Escalations Engineer ///
Community Leader

Re: Should Companies be Allowed to "Hack Back"?

Thanks for sharing with the community.I found the article quite interesting. My initial angry reaction might be to want to bring the perpetrator to his knees and wipe out his entire infrastructure. Reality then sets in and i start to think a little more clearly about the situation. The hacker will undoubtedly be back up and running in a very short period of time irregardless of what anyone does in retaliation. It really is the job of user, business or home ,to secure their assets in the best, most thorough, and cost effective way possible. If I do my job properly, i will undoubtedly shrink the quantity of potential attack vectors a hacking entity can come at me with. Sadly, most businesses, as well as home users, do a piss poor job of safeguarding their digital assets .The investment in securing your systems properly is dwarfed by the potential financial damage a successful hacking campaign can inflict on a company. I would encourage any business or home user to invest heavily in this regard. Also, educate yourself and all those around you. Focus carefully when staffing your IT departments. Hire some out of the box thinkers. Hold everyone accountable. I have no doubt that, if a user takes the time to carefully weigh everything, they will make the right decision and ward off a vast majority of any potential attacks.

WSA-C Firewall
Hitman Pro Alert
Macrium Reflect
MBAM 3.0(OD)/Diskeeper 15
Windows 10 Pro X64
Community Guide

Re: Should Companies be Allowed to "Hack Back"?

I think why not as long as there's documentation and it's reported, I see it as no different than defending yourself if attacked in a physical alteration, and would consider a company taking steps to disable an attacker self defense. 

Popular Voice

Re: Should Companies be Allowed to "Hack Back"?

I would think it would be worth while, you would not imagine how many companies get messed up by this, I've had to do penetration tests to find vulnerabilities and alot of people don't understand that it literally can only take five minutes for me to do so, and there is one companies that had me collect evidence of the intruder and they did end up getting him, for some reason he wasn't very good at masking his mac address, either way I say yes, that way its less fun for them, or maybe it will turn them into white hat hackers not black hat
Justin Holst
Little Dog Tech
Associates Software Development/ Network Administration/ Cyber Security