Hacking Back

There's a really interesting paper from George Washington University on hacking back: "Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats."

I've never been a fan of hacking back. There's a reason we no longer issue letters of marque or allow private entities to commit crimes, and hacking back is a form a vigilante justice. But the paper makes a lot of good points.

Here are three older papers on the topic.

Posted on February 13, 2017 at 6:40 AM • 31 Comments

Comments

Michael PFebruary 13, 2017 7:07 AM

We no longer issue letters of marque because modern navies are effective enough to deal with the problem instead. We do have private military companies, though.

Depending on how you define "allow", US governments have either never allowed private entities to commit crimes, or always have and still do.

In particular, we do allow private entities to defend people and/or property with actions that would be crimes in practically any other circumstances. Shop owners can detain suspected shoplifters, a "citizen's arrest" is allowed in many other circumstances, and of course armed defense -- even extending to the use of lethal force -- is allowed in a variety of circumstances that vary by jurisdiction.

So it's both overly broad and legally irrelevant to say that we don't allow people to commit crimes. That factual error detracts from whatever distinction one is trying to make between offensive and defensive hacking. Why do we allow people to take proportionate defensive countermeasures in the physical realm, but object to countermeasures in the digital realm? If someone being DDoS'ed seizes control of the botnet to uninstall the bot software, is that morally wrong? What if they also patch the security problem(s) that the botnet exploited?

rFebruary 13, 2017 7:24 AM

@Michael P,

Some of that reticence may be due to the whole 'operating on public motorways' thing, it's a long pdf though I'll muddle through it when I have some more freetime.

It would be my hope that DDoS isn't one of the practices advocated for from a company defense stance, this kind of document makes me nervous about the whole 'warring corporations' thing. Am I fear mongering?

@Wael,

Isn't that John Malkovich listed in the credits?

Vesselin BontchevFebruary 13, 2017 7:31 AM

"Solving hacking problems by hacking back is like solving mice problems with more mice." --Mathew Green

@Michael P, there are a lot of problems with your line of reasoning. The main problem is that "hacking back" always involves intrusion into someone else's computer. If a gang is attacking your house, you're generally permitted to shoot at them in self-defense. You are not, however, permitted to go to their HQ and shoot them all there, even if you goal is to prevent their attacks on your house.

If a botnet is attacking you, there are several legitimate ways by which you can defend yourself - ways which involve only measures taken on computers you own (or on the computers of your upstream provider). Trying to hack into the machines attacking you can cause a lot of problems to the legitimate owners of these machines, if you screw up - which is especially likely if you try to "fix" a perceived vulnerability in an unfamiliar environment.

First, do no harm to computers you don't own or otherwise legitimately control.

ArrghFebruary 13, 2017 8:48 AM

If fitting up a sloop with cannons was as cheap as downloading portspoof, letters of marque would never have gone away.

WaelFebruary 13, 2017 10:05 AM

@r,

Isn't that John Malkovich listed in the credits?

How many times did I tell you to give references to your comments or questions, huh? I'm at a loss why my words are falling on deaf ears! You want me to read every word?

If I go by guesses, then I would say Michael Chertoff is credited somewhere.

Clive RobinsonFebruary 13, 2017 12:44 PM

@ Michael P,

Why do we allow people to take proportionate defensive countermeasures in the physical realm, but object to countermeasures in the digital realm?

The simple answer is "traceability". When you perform a "citizens arrest" you have to be acting on "first hand knowledge" and at the scene of the alleged crime or after the delightfully named "Hot Pursuit". To do otherwise is to perform "illegal imprisonment" or worse.

It's easy to demonstrate that tracability to the level required is not possible in the intangible, non physical, information world.

parabarbarianFebruary 13, 2017 12:48 PM

Cyberspace is not the Wild West. If it were, taking down an attacker would be legitimate self-defense. Also, it was not unheard of for a group of citizens to track a gang of thugs to their lair and exterminate them. Sure it was a species of vigilantism but it was the only realistic option the peaceable citizens had. Despite the mythology you see on television and in the movies, crime in the Wild West was less than a mid sized American city and very much less than a social midden like some parts of Chicago or Detroit.

Make no mistake about it: If the world's governments cannot or will not control these criminals then private action is inevitable. Maybe Letters of Marque or some cyberspace equivalent is a good idea.

Blank RegFebruary 13, 2017 3:38 PM

I disagree on the usefulness of "Letters of Marque" in the suggestions that we have navies now, so it's irrelevant. I think it's a sort of state-sanctioned "private reprisal" kind of thing, and just the ticket for countries who have been attacked, but otherwise have not consciously gone out to hurt someone else in the world. It's also a helluva lot cheaper than a goddam navy.

Ron Paul actually called for this in a speech on the House floor right after 9/11. (But in that case, he wasn't suggesting we were an innocent victim - as Trump has also suggested more recently. 9/11 was blowback for 50 years of violent policy decisions.)

If you're primarily a peace-loving country that normally minds its own business, Letters of Marque and Reprisal are the perfect solution.

And let's bring back dueling while we're at it. That might help "drain the swamp" a lot more quickly.

TedFebruary 13, 2017 4:01 PM

From the Spring 2012 paper:

"Over eighty percent of the nation’s CNI [Critical National Infrastructure] is owned and operated by the private sector. Although there is substantial governmental interest in protecting CNI, a survey of CNI and computer security executives indicated that forty-five percent did not believe that their government was very capable of preventing or deterring cyberattacks. Some commentators suggest that private owners of CNI should be encouraged to develop and adopt their own cyber preparedness standards."

Trump spoke to reporters prior to a meeting he held with cybersecurity experts on January 31, 2017 to discuss his cybersecurity agenda and protecting U.S. infrastructure.

Rudy Giuliani, Dan Coats, Mike Mullen, John Kelly, and Keith Alexander added to the statements. Mr. Giuliani articulated the importance of private sector participation and responsibility for cybersecurity, potential global outreach for long-term solutions, and a council meeting that would invite the private sector to discuss the problems they have, as well as the possible solutions they have, so that those solutions could evaluated along side those the government could provide.

The George Washington University Center for Cyber and Homeland Security "Into the Gray Zone" active defense spectrum positions Information Sharing as the lowest risk/impact active defense measure.

As far as information sharing across the public and private sector, the ISAO SO published a U.S. Government Relations, Programs, and Services guide and also offers a "Government Relations” Working Group that covers the following matters:

• Legal issues and responsibilities when working with law enforcement
• Legal issues and responsibilities when working with the intelligence community
• Managing interactions with U.S. regulators
• Requirements for information sharing between the U.S. Government and the private sector

At the end of last year there were 17 registered ISAOs, 24 registered ISACs, 6 registered other information sharing organizations, and 13 states with information-sharing organizations, according to a ISAO SO 2016 Year in Review report.

rFebruary 13, 2017 5:20 PM

@Wael,

The honorable, ofc.

Co-Author of the very much acclaimed Patriot Act I digress, alas I find myself in need of a carrot for my eyesight lest the stick will cane me.

WaelFebruary 13, 2017 6:52 PM

@r,

I find myself in need of a carrot for my eyesight

Oh, cry me a dozen rivers. I need this many carrots. The original kind, not the knock-offs, mind you!

Re: Hacking back...

If I have the time and someone calls and asks me to login to a web site with my local computer username and password, I usually waste a lot of their time. I consider that "good" hacking back. If I get a suspicious link, sometimes I trace it, and if I click on it by mistake, I factory reset my phone.

enonniemouseFebruary 13, 2017 6:53 PM

Is it hacking if you label some dangerous file "CEO Porn Stash" and let them steal it?

xylogxFebruary 13, 2017 7:14 PM

This is just another excuse to spend defensive monies on offensive capabilities. In the competition between offensive and defensive budget pressures we were sold a bill of goods that the best defense is a good offense. This is how we got into the situation we are today with a weaponized NSA who cannot protect even the most critical parts of our national government infrastructure like the OPM. What we need is to get serious about securing our infrastructure, not yet another excuse to expand our already sprawling out of control offensive capabilities.

Bob Dylan's Nervous BreakdownFebruary 13, 2017 7:40 PM

This is how we got into the situation we are today with a weaponized NSA who cannot protect even the most critical parts of our national government infrastructure like the OPM. What we need is to get serious about securing our infrastructure, not yet another excuse to expand our already sprawling out of control offensive capabilities.

I do not believe that this is coincidental. The ultimate end is to convince one to be naked because everyone else is naked too. People who are not naked (playing defense) are deformed. Of course, a la Animal Farm, it will never be that way in reality because some people will be more naked than others. But the powerful cannot be play their word games and be more naked than others until everyone else has disarmed.

@ Clive
It's easy to demonstrate that tracability to the level required is not possible in the intangible, non physical, information world.

In the ideal case. Of course, as thousands of CP investigations have showed, the jails of the world are filled with those who fail to live up to the ideal case.

rFebruary 13, 2017 7:59 PM

@Wael,

OT unless I'm missing something (all things considered, many things likely), but that's not rabbit heaven: it's rabbit hell.

@xylogx,

My sentiments exactly, I'm still curious as to what the 'good points' are to be found within the boundaries of this pdf. Maybe tomorrow.

rFebruary 13, 2017 8:04 PM

@enonniemouse,

No, that's misdirection and if it's baited it's still not hacking back it's recon.

Their bad imb, downloading proprietary software and executing it within the confines of their not-so-confined systems is not "hacking-back" it's preloading #1.

While some may argue that it's an offensive, err offensive capability it's certainly not the prior or is it not the ladder?

Come at me bro. ;-)

rFebruary 13, 2017 8:06 PM

If you "pre-loaded" ransomeware you may get yourself into trouble, I guess certain scenario's are still dangerous offensively.

Don't get all defensive on me.

Jeffrey RadiceFebruary 14, 2017 12:16 AM

Hardly shocking that the Department of Homeland Security would be out in front of the arms race to further weaponize software. After all this relay race was begun by the United States Department of Defense in the 1970s and 1980s.

Edward Hunt summarized it quite succinctly in a July-Sept 2012 piece in the IEEE Annals of the History of Computing, entitled "US Government Computer Penetration Programs and the Implications for Cyberwar,"

The US Department of Defense was the driving force behind the development of sophisticated computer penetration methodologies. By analyzing the security of the nation’s time-sharing computer systems, security analysts developed an expert understanding of computer penetration. Eventually, the US and its intelligence agencies utilized computer penetration techniques to wage offensive cyberattacks.

Society could benefit from a bit more introspection regarding the tools and methodologies we are wanting to unleash from our "defense" laboratories. This particular story assuredly predates the myth of Pandora, and yet we never seem to learn. No wonder the aroma of fear that clouds a future with IoT, robots, autonomous vehicles and machine intelligence. Are these all destined to be weaponized as well?

WaelFebruary 14, 2017 12:33 AM

@Jeffrey Radice,

Are these all destined to be weaponized as well?

Aren't they already weaponized? Do you have any doubt?

Clive RobinsonFebruary 14, 2017 3:15 AM

@ enonniemouse,

Is it hacking if you label some dangerous file "CEO Porn Stash" and let them steal it?

It's not hacking but it's ceryainly the equivalent of a crime.

Imagine if you would a very expensive handbag a bag snatcher is most definitely going to want to add to their collection. You hide inside it a device that is in effect an anti personnel weapon that has a special arming system that activates when the bag is taken from a location, and goes off after the bag has been at rest for two minutes and is opened.

You have no idea where the bag is or in whose company it is going to be when the anti-personnel device goes off.

Likewise if you put some payload in that CEO file you will have no idea where it will go off and how much damage it will do...

A true story for you from back in 1994, a man took a bag from a train at Reading Station west of London late one thursday morning, on getting it to his sisters house he found it had what he thought was a bomb in it. He phoned the police with the result that the whole of Reading town center went on lockdown. The reason I remember it quite vividly is that Thursday, also happened to be the setup day for a Reading Music Festival (WOMAD) that I was helping out with and I was traveling through the town center when the lockdown went into place. As it turns out it was not a compleated bomb but a kit with all the components to make one.

The point though is that if you leave "attractive nuisances" around you realy do not know where they will end up, or how much damage they will do there if you weaponise them.

rFebruary 14, 2017 7:01 AM

Beacons are the one thing I can think of that can work deeply embedded both during and after distribution and be operated safely behind enemy lines.

Of course, the larger and more complex you make them the better chances they have of being discovered - this is probably why dye bags have timers/proximity sensors whereas gps tags can go further but risk discovery once thumbed through?

Where electronic documents are concerned, beacons are probably one of the simplest if not the most stealthy thing to pre-pair.

Dave DittrichFebruary 14, 2017 6:16 PM

@Michael P, That is not the reason we don’t use Letters of Marque any more. Both you and @Blank Reg may want to use them, but it isn’t possible. We don’t use them because the U.S. is a signatory to Paris Declaration Respecting Maritime Law of 16 April 1856. Now there may be some way to revive a form of this mechanism, but it will require far more details in terms of who, what, where, when, how, and why, than any proposed “framework” or law review article that I have seen to date (including the GWU report mentioned by @Ted).

@Vesselin Bontchev gets to the main issue, which I and my co-authors have framed as “acting outside of your own zone of authority.” (Yes, this often involves unauthorized entry into systems of third parties, some of them innocent third parties.) The issue of botnets (note that I *hate* the term “botnet” because it is overly vague and complicates reasoning) is complex, and not everything you would do can be done within your own network, or your own zone of authority. I would call your attention to this blog post.

@Clive Robinson, we don’t allow “proportionate countermeasures” in all cases, especially not use of physical deadly force to protect property. I would hasten to ask, however, what “proportionate countermeasures” are you talking about? The term “countermeasures” has many meanings, one of which in the context of international law is sovereign nations using diplomatic, military, intelligence, economic (sanctions, tariffs), and law enforcement actions. None of those are options available to the private sector, however. I can’t impose a tariff, or put on a uniform and shoot a M16 rifle, at someone who I believe is foreign military officer (though many who argue for “private sector active defense rights” implicitly and falsely analogize). As in the blog post above, private sector actors can use civili legal process, such as temporary restraining orders, under existing western legal regimes. They don’t need any new special rights, just the ability to show harm and standing (i.e., damage occurs within a legal venue where they bring the suit.)

@r brings up the issue of “beacons” (to which the GWU report adds a new term “die packs” that IMHO is a false analogy that dangerously misrepresents what is technically possible). This is more complicated than it may seem, and “beacons” may not always give as accurate an attribution as an unsophisticated technical analysis may suggest. Yes, they might work in some cases, but someone who doesn’t know what they are doing will shoot back at the wrong party. This lack of technical understanding of the tools, tactics, and procedures that would be used in “hacking back” (another overly vague term that can mean just about anything), is the reason that many law review articles, like the Kesan and Hayes article that Bruce lists third in his “other reading” list, again IMHO get the argument exactly backwards because the premise of the argument is flawed in how the authors technically understand it. Kesan and Hayes are one of several legal scholars who think the Unix “traceroute” program provides accurate and complete “attribution” of an attacker, enough to justify safely striking back at the “attacking bots” (many of which, demonstrably, time and time again, are infected computers at hospitals, universities, etc.) It is not hyperbole to point out that “bots” exist on computers on pretty much any industry sector, and their operation may be far more stable in the face of being infected with malware than it would be by anyone unleashing a “white worm” to clean them up or shut them off as a “strike back” action during an “attack.” (I am quoting all of those words because of the ambiguity they raise.) A colleague , Katherine Carpenter, and I spoke about this at CyCon two years ago. Slides are here and the video of our talk is online in the Strategy and Law track, 04.06.14.

I am working on getting my own book on the subject ready to release (in partial form, “lean publication style”) in the near future. I’ll follow up when it is publicly available.

rFebruary 14, 2017 6:56 PM

@Dave Dittrich,

Quick response, I align with Mr. @Bontchev.

My -dye bag- position should be construed as watermarking escrowed or permutative data.

Beacons as you and I both well note aren't 100%, but even without 100% provided that they work at all still provide indicators of compromise or authentic unauthorized views of original data.

Thank you for your organized response and I (and likely others) look forward to more of your input on this matter.

Jeffrey RadiceFebruary 14, 2017 8:36 PM

@Wael

No wonder the aroma of fear that clouds a future with IoT, robots, autonomous vehicles and machine intelligence. Are these all destined to be weaponized as well?

Aren't they already weaponized? Do you have any doubt?

They are. I have no doubt.

Clive RobinsonFebruary 14, 2017 8:42 PM

@ Dave Dittrich,

@Clive Robinson, we don’t allow “proportionate countermeasures” in all cases, especially not use of physical deadly force to protect property. I would hasten to ask, however, what “proportionate countermeasures” are you talking about?

I'm not in any way infavour of countermeasures that attack an attacking machine, or anything it is connected to. In part because it's unlikely you will find the original attackers machine, but mainly you would be escalating a situation, beyond control.

I've a history of pointing out that when it comes to cyber attacks they should be dealt with by the LEAs as crimes not MilAs as precursors to war.

The last people that should have anything whatsoever with hacking back are ordinary citizens, who have neither the required experience but more importantly legal or diplomatic cover.

Like a number of others here I blaim the SigInt Agencies for the lamentable state of network security, and secondly their "wag tail" politicians passing legislation that says they can damage the systems even further, rather than be brought to task.

As others have pointed out "We kill on metadata" is a recipe for disaster as is any "Find Fix And Finish" kinetic solution.

There are no two ways about it, they are "Primary Act of War" and at one point the US Gov were seriously considering kinetic attacks on everything it assumed was a hacking attack.

The problem of course is to get any kind of atribution sufficient to "point the finger" or present as evidence the SigInt Agencies must already have committed such a primary act of war.

The US has dug a large hole for it's self over the years by pretending it occupied some "moral high ground" over it's Cyber-Criminal activities. If you catch a burglar in your house, you don't give them a pass because they claim they were not stealing "commercial" property.

The most likely outcome of US SigInt behaviour, is the Internet will become balkanised. To try to limit FiveEye etc attacks those splitting off will try not to use US or other Western equipment. This balkanization nearly happened in 2014 with the UN ITU "World Telecommunication Development Conference 2014" (WTDC-14) in Dubai. The chances are it will actively progress that way in WTDC-17 comming up in Buenos Aires later this year.

NystagmusEFebruary 20, 2017 10:42 AM

Retalitory hacking ("hacking back") is not a logical nor safe principle nor response. It should be avoided at all times.
Also, it should not be discussed casually as an approach, since the articles of interest use the disclaimer that even as a controversial idea, it should only be pondered (although I think not) by military powers. Here are the reasons why it should not be pondered or used by anyone:

1) Misattribution. ("Oops, sorry, wrong number")

It's so commonplace for hackers of any type to disguise their true identities as well as vectors of influence.
It's also commonplace for hackers of any type to utilise any means necessary to accomplish their hacking goals.
Since hacking techniques are not limited to just internet, just telephony, just social engineering, just identity theft, just firmware, just software, or just hardware, there are always a huge variety of means for hackers to disguise their vectors of influence as well as their identities and even their targets.

You could not be sure that you were retaliating against the correct item(s).

To retaliate against the wrong item or items would most likely lead to widespread provacation of hypermalignant internet and cyberwarfare, and the only ones to blame would be those who foolishly retaliated.

Vengeance begets vengeance.
It is entirely maladaptive.

Militaries have a long, decades and centuries long history of overinvolvement with vicious cycles of vengeance begetting vengeance.

2) Way too much collateral damage. Please don't destroy the information habitat just because people somewhere hate you, perhaps for wrong reasons.

Way too many innocent lives and business would be affected by a conflagrated cyber war. Retaliatory hacking simply aggitates an already aggitated information ecosystem and makes it worse for all, including the originally affected victims. Also there is no peace accomplished via the threat of retaliation, because the internetworks and technologies and vectors are so complex and dynamic and varied and becausee of the reasons listed above.

Retaliatory hacking simply does not work and is illogical.
There might be some extremely rare and specialized exceptions, but I wouldn't trust militant technology users to be stable and logical enough to comprehend and utilize the criteria for such exceptions. However, those career forensic professionals who are sworn to uphold the law without conflicts of interest and whom have the correct credentials and education and tools and cooperative planning might be able to accomplish a more neutral and technologically gentle way of protecting systems. For example, the FBI could create a "vigilante virus" that spread around the internet fixing and patching up people's and businesses security holes except for those owned by known criminals. The FBI has the forensic expertise and intersocial resources and could partner with the Defensive portion of the NSA (not the Offensive portion of the NSA) to accomplish such a thing. But the scope of such a project would have to be systematically preplanned, and monitored, and would always be at risk of being modified and copied by adversaries. So really, even that is risky as well.

3) It is better to stop hostility at the source. The source causes of most hostilities are ideological, and not technological, and not based solely upon technological nor military advantage nor disadvantage. If you can find a way to convince adversaries to comprehend and agree to alternatives instead of hostility and fighting, that is always better. In other words, emply diplomacy, even and especially within the realm of "cyber" disagreements.

4) Digital diplomacy has the advantages of possibilities of partial and/or temporary anonymity in ways that in-person diplomacy might not away have. So digital diplomacy might even be more successful than in-person diplomacy in some circumstances. However, in-person diplomacy's strengths are everlasting and could be combined with digital diplomacy in some unusual ways. However, it is important to make sure that diplomats as well as non-diplomats are not simply working for a faceless, nameless computer program even if it is used to hire and deploy them into reconcilliation with adversaries.

5) The legal system of checks and balances needs time and resources and innovative law-making and ammendments to catch up with the status quo. "Hacking back" would not have enough constraints ethically nor legally to keep it from being abused.

If this surprises you, please give these ideas a chance to be properly understood.

Peaceful dialogue tends to be preferred. This could actually be accomplished somewhat easier via digital channels where people might not have the ability nor willfullness to harm each other, yet could still exchange ideas and informations to ensure greater reconcilliation and intersocial stability, regionally as well as geopolitically.

Please don't turn the internet into a battlefield.

6) AI is the wildcard. Way too many unknown unknowns with Artificial Intellects/Intelligences involved now. Please do NOT provoke an already bizarre and delicate situation for all, especially in it's early stages. We need to be able to teach AI's the ways of peaceful cooperative coexistence, not relentless neverending war and suffering and provocation and vengeance and blind illogical detriment to all.

Mutually-assured survival is preferred.

We are all each invited to wake up and smell the reality.

hacking backFebruary 21, 2017 9:17 PM

black ice firewall had policy of "counter probe the prober".
was bad idea.
hacking back not even make sense. machine you think hacked you might be zombie in botney. most bad idea ever.
waste time on how make enemy less secure, it was time could have been spent make yourself more secure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.