Article by my colleague Anthony Caldwell.
Anthony Caldwell holds an MSc in Experimental Physics, an MPhil in Information Systems Research, is currently engaged in PhD research in science education, is SSCP certified, works as an application security engineer and independent security researcher. Has published work on the area of modeling user behaviour in response to cyberthreats using structural equation modeling techniques, the ZED attack proxy and web application security.
This article briefly explores the emergent area of the ‘hack back strategy’ where, in response to persistent and potentially damaging hack attempts upon corporate enterprises, an active defence model is considered. Hack-back strategies run the risk of hacking an innocent party who are frequently used as unwitting pawns in hack attempts to obscure the source location of the hacker.
The Hack Back Strategy
Approximately one-third of the global population now uses the Internet (Internet Live Stats, 2014). Progressive technological advances have been led by our social need for more interconnectedness, education and business transactions. Importantly this growth is intrinsically linked to economic growth. Of some concern then are recent governmental reports from the UK indicating that 93% of large organisations have had a security breach in the previous year incurring costs of the order of billions of pounds per annum and increasing (GovUK, 2013). In the past six months, some of the most significant breaches in recent times have occurred; an attack on US retailer Target (Riley et al., 2014), eBay (Finkel et al., 2014) and the most high profile of all, the Heartbleed vulnerability in OpenSSL (Sullivan, 2014). From a security practitioner’s perspective, it appears, superficially at least, that there is no end in sight. Despite layered approaches to defense, technological safeguards and security awareness programs, increasingly sophisticated targeted attacks persist. While embedding electronic watermarks, instituting ‘honey pots’ to attract and trap the hacker, technology continues to outpace most of our efforts in industry. Even the legal frameworks in place to deal with such threats are limited. The emergent perspective that a company may take the law into their own hands and fight fire with fire termed ‘hack-back’ or ‘active defense’ has begun to gain momentum (Messerschmidt, 2013), however this may be a dangerous path to pursue.
It is the globally decentralized architecture of the Internet which facilitates cyberattacks which Messerschmidt (2013) argues the case for the hack back strategy through the lens of the international law and coins the term ‘transboundary cyberharm’. The problem becomes more acute when we consider the growing use of cloud computing and our insatiable need for mobile devices further complicating the threat landscape both technically and legally. Cyberattacks have many goals; denial of service, vandalism, hacktivism, identity theft and financial gain to name a few and the Computer Fraud and Abuse Act in the United States (18 U.S.C. 1030, et. seq.) lays down a framework for how unauthorized access to computers may be prosecuted. Although jurisdictional variations exist worldwide, hacking a computer or network is illegal, regardless of intent. However, as tempting as the hack-back strategy is, it is not an option based upon the fact that a seemingly endless number of unintended and potentially harmful consequences are possible. Consider for example a compromised hospital server which is used as the staging point for a denial of service attack against a major retailer, government body or financial institution. Hack-back, without due consideration may only see the compromised server and engage in aggressive tactics to shut the attack down regardless of the server’s main function. Essentially, hack-back strategies run the risk of hacking the innocent unless care is taken.
Corporate responsibility begins and ends with their own internal security procedures to deal with cyber attacks and many contemporary firms have employed the use of information security experts and ethical hackers to this end. Rosenzweig (2014) considers internal self-defense perspectives i.e. security within one’s own network such as the creation of attractive honeypots which are designed to attract the malicious actor inside the defender’s own system to observe their techniques. These techniques (signatures) then form part of an intelligence profile used to screen or block incoming traffic associated with those threat indicators. This is typically automated and facilitated by intrusion
detection systems (IDS) and web application firewalls (WAF) acting in concert. Beyond the boundaries of the defender’s network ‘active defense’ or hack back strategies would consider the use of payloads to take action against the malicious actor causing definitive harm to the adversary, but where and who is the adversary?
The Theatre of Conflict
Is there a clearly definable boundary to a corporate network either technically or legally? It would seem that this is not as distinct as previously thought with considerable collateral damage likely if an otherwise innocent intermediate server location is used as the battleground. If we return to those engaged in the increasingly popular cloud-based solutions, this problem becomes ever more complex since the origination of the attack may be from a victim’s location, unaware of their vulnerabilities and in close proximity to others in the cloud thus exposing the many more to attack. Given that the theatre of conflict is global, there is no flight, there is only fight. In fact, so tempting is the hack back strategy that recently the Obama administration commission on the theft of American intellectual property gave serious consideration to the hack back strategy (Economist, 2013). To this end, considerable care is warranted in those cases where a corporate entity engages in a cyberwar with the indistinct, globally distributed, technically adept cyberwarriors who are experts at obscuring their locations and attacks behind the innocent. Be under no illusions, the cost of the hack back strategy will be high and it is important to reflect on what this may mean. “History teaches that wars begin when governments believe the price of aggression is cheap” (Ronald Regan, speech, Jan. 16, 1984).
18 U.S. Code § 1030. Fraud and related activity in connection with computers. Available at, http://www.law.cornell.edu/uscode/text/18/1030 Economist, The (2013). Fighting China’s Hackers. Available at http://www.economist.com/news/united-states/21578405-it-time-retaliate-against-cyber-thieves-fighting-chinas-hackers, retrieved 23/05/2013.
GovUK (2013). 2013 Information Security Breaches Survey. Available at https://www.gov.uk/government/publications/information-security-breaches-survey-2013-technical-report, retrieved 24/04/2013.
Finkle, J., Chatterjee, S., Maan, L., (2014). EBay asks 145 million users to change passwords after cyber attack. Reuters. Available at, http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521, retrieved 08/01/2014. Internet Live Stats (2014). Available at, http://www.internetlivestats.com/internet-users/, retrieved 07/08/2014.
Messerschmidt, J., (2013). Hackback: Permitting Retaliatory Hacking by Non-State Actors as Proportionate Countermeasures to Transboundary Cyberharm. Columbia Journal of Transnational Law, Forthcoming. Available at SSRN: http://ssrn.com/abstract=2309518
Rosenzweig, P., (2014). International Law and Private Actor Active Cyber Defensive Measures. Stanford Journal of International Law, 50, pg. 103.