You have likely heard that “the best defense is a good offense” or that “attack is the secret of defense; defense is the planning of an attack.” It is also likely you have heard the expression: “Revenge is a dish best served cold.”

Depending on the side of the fence you’re sitting on, you might be a strong believer in all or some of the above expressions. As it turns out, you are by no means alone. In the US, policymakers have in recent months been debating a curious bill.

The bill, known as the Active Cyber Defense Certainty Act (ACDC) seeks to legalize hacking back. Basically, if your company falls victim to hackers, you would have the right to hack organizations that you suspect hackers used to mount their assault.

Before you jump on board, take a moment to consider whether the risks outweigh the benefits.

Potential benefits of hacking back

According to a survey by Fidelis Cybersecurity, companies believe that they have the capacity to hack back when hacked if they want to. At least half of the executives responding to the survey said that if it were legal, they would, in fact, hack back. What are the benefits of this aggressive approach?

good

1. Data decryption

In the case of ransomware attacks, hackers often encrypt sensitive information and demand ransom payment to decrypt it. Being able to hack back would be a much easier and more cost-effective way to get decryption keys than paying a ransom.Furthermore, companies are often advised against paying a ransom as it simply reinforces a bad habit. In some cases, after receiving ransom payment, hackers have the nerve to fail to keep their end of the bargain.

good

2. Thwarting malicious actors

When you track bad guys, you might be able to gather sufficient counterintelligence to thwart future attacks. That would involve collecting data on the cybercriminals, which could, in turn, help you narrow down to specific attackers.Having information on such attackers could be all you need to thwart suspicious actors whenever you find them sniffing around your data. With such information, you can either slow down a malicious entity or even selectively disconnect them.

good

3. Taking revenge

Whether you love your revenge dish served cold or steaming hot, the opportunity to exact revenge on a malicious entity seems exciting, doesn’t it? It is vigilante justice in every respect of the word, at least for now, but if ever it were to gain legal recognition, the story might read a bit differently.And in fact, revenge could be a way to dissuade hackers from the vice, knowing that they might get a dose of their own medicine. The concept is so effective and desirable that there have been reports of vendors attacking hackers as a courtesy, on behalf of clients without charging for the service.
good

4. Supporting federal agencies’ efforts

In the US, only the FBI has the mandate to hunt down hackers by hacking. However, in view of the prevalence of cyber-attacks, such agencies are often overwhelmed. Therefore, if everyone had the authority to hack back, it would reduce the burden that government agencies are currently under.

Concerns about hacking back as a strategy

Like any other seemingly perfect plan, the hacking back strategy has its downsides. And unfortunately, these are too big to ignore, especially if you are contemplating going down that rabbit hole.

Bad

1. Attribution issues

One of the top issues that raise eyebrows has to do with attribution – the identification of the perpetrator. Oftentimes, hackers get into company systems by compromising the systems of other organizations that might have a connection to the target.In some of those cases, the gateway organization may not even realize that it has been compromised. If a company was to trace an attack to such an organization, it might wreak havoc on an innocent victim and not achieve its intention.
Bad

2. Collateral damage

If you opt to hack back, you would likely be financially liable for the damage you cause to innocent people in the process. Considering the number of unsecured servers and systems that hackers often go through to get to a target, this could be a costly affair.
Bad

3. Can be very time-consuming

The fact that hackers use multiple systems as staging posts to launch an attack poses another challenge. Trying to follow them through the maze is no mean feat. For example, it’s very likely that the hackers will have used a VPN, leading you on a wild goose chase. It might take inordinate amounts of time, and at the end of the day leave you with a cold trail.And remember, if and when such a pursuit goes wrong, it might tamper with the digital forensics that law enforcers could have used to catch the criminals.
Bad

4. More questions than answers

Hacking back could go wrong for lots of reasons and there are lots of questions to consider before starting down that path. For instance, what happens if in the process you come across the stolen trade secrets of your main competitor?What if you trace hackers back to a nation-state? Could your offensive attack trigger a bigger cyberwar or worse still, an international incident? What if one of the hackers’ staging posts was a hospital or power system and what if in your pursuit you damage records or the entire system?
Bad

5. Revenge turned sour

As you probably know by now, retaliation does not always pan out as planned. To illustrate, an Israeli company, Blue Security, about 10 years back tried the strategy and got shocking results. They chose to flood attackers with a deluge of electronic traffic in response to spam email.Not to be dissuaded, the attackers hit Blue Security with a major Denial of Service attack. That was enough to take them offline and force them to abandon the strategy. Moreover, they eventually had to shut down.

The law of the jungle vs. true justice

On the basis of the above pointers, the lesson that stands out is that cyber frontiers are by no means child’s play. The idea of hacking back might seem strategic, but the costs may outweigh the benefits.

It might have been commonplace in the Wild Wild West for everyone to fight their own battles. Is it fine to do so now?