From Forbes (full story in link):
Chris Rouland hasn’t spoken in public much since he created the secretive cybersecurity contractor known as Endgame five years ago. But he broke his long silence Wednesday to voice a request to lawmakers: Give government agencies and private firms more power to retaliate against those who hack them.
“I do think eventually we need to enable corporations in this country to be able to fight back,” Rouland told an audience Wednesday night at the Carnegie Council on Ethics in International Affairs in New York. “Let’s say someone takes ten million dollars in gold bullion [from you] and you call 911 and they don’t call you back for a week. When do you go get it ? Because for me it’s probably that night. And I think that’s a realistic metaphor of where corporations are today. They’re losing millions of dollars and it’s so challenging for governments to help them, I think we have to enable them to do it themselves.”
The notion of “hacking back,” sometimes described as “active defense,” has been hotly debated within the cybersecurity industry and in government. Some have warned that retaliatory hacking risks collateral damage against unintended targets, or even escalating a global cyber arms race. But a provision in the long-stalled Cyber Intelligence Sharing and Protection Act (CISPA) included a provision that would offer legal immunity to firms that engage in retaliatory hacking. Meanwhile, many companies aren’t waiting for legal exemptions: A survey by the security firm nCircle at the Black Hat security conference last year found that more than a third of the 181 respondents had engaged in hacking those who hacked them, and 13% said they’d done so “frequently.”
The survey that is cited is somewhat telling, but it should be taken with a grain of salt. It was taken at Black Hat and was comprised of 181 attendees - most of which are hackers themselves or who have an interest in hacking. Actual public opinion on this issue tends to be all over the place. It didn't help the cause that the legal immunity that would have been granted to companies who engaged in retaliatory hacking was packaged into the extaordinarily unpopular CISPA bill.
On one hand, if a hacker steals your company's data, it's not as though you can pick up the phone and call the internet police. There can be all sorts of legal difficulty in dealing with the perpetrator, and just finding him might prove to be more trouble than it's worth. Even if you do find him, that does nothing to solve your hacking problem in the short term. Maybe he's copied all of your data onto a remote server that you can see but can't remove without hacking back. Or maybe you know for certain that your company only has a limited amount of time to do anything before the hacker gets away. In that case, is it reasonable self-defense of a certain kind to hack back?
But on the other hand, all that legal stuff is kind of important. If exemptions to hacking laws are made available on the pretext that if somebody else hacked you first, it's ok to hack them, at what point do you have to actually prove that the original hacker actually hacked the victim to start with? It seems like there's no presumption of innocence until proven guilty under such a scenario. And what happens when internet vigilantism ends up affecting the wrong person? A company might mistakenly hack back along a false trail and really make a mess of some innocent person's computer.
Is hacking back the solution? And if it isn't, then what is? Discuss!
