Hack back controversy to fight hacking
After claiming to have obtained and released personal information on the President of the Republic of Indonesia, Joko Widodo and his cabinet members, Bjorka made another splash by offering $100,000 in bitcoin for 3.2 billion data entries reportedly belonging to PeduliLindungi app users on the hacking site, Breach Forums. User contact information, ID card information, travel history, vaccination status, and COVID-19 test results are among the data leaked.
The latest event increased the global cost of cybercrime, which surpassed $6 trillion last year and is expected to climb at a 15% yearly rate over the following five years, reaching $10.5 trillion USD annually by 2025.
With such staggering costs, it’s no surprise that some companies consider retaliating against hackers. It is often referred to as “hack back.” Is it, however, legal to hack back?
A conflict between law and ethics
“No” is the most probable response. Just in the United States, the FBI “warns” victims against hacking back. The Department of Justice calls it potentially unlawful.
However, nobody has formally ruled it unlawful. We don’t yet have a test case in court, and neither has the legislation, whether it be in the US or another country.
But does it still make sense to defer to the authorities when cyber attackers continue to avoid identification — let alone capture and prosecution?
As of now, we can look toward ethics for guidance, which surprisingly might permit hacking back.
Just like “conventional crime”, even when assistance is on the way, you still have a fundamental right to self-defense, since a lot can happen in the few minutes between the home invasion and the arrival of the police. It would be reasonable to protect your family during a home invasion, for instance — in this case, the same principle should apply to cybercrimes.
A study claims that it is ethical in the government context to hack back because they use it to defend their people, but it may not be ethically justifiable for civilians to use the approach.
Apart from law and ethics, for civilians, hacking back is practically a bad idea because doing so only causes bigger risks than merits.
Evil begets evil
Cyber crimes can take multiple forms just like conventional crime, the biggest issue is finding the right perpetrator. But what if you can’t identify your attacker? What happens if you attack an innocent person?
A clear example of this can be described with a DDoS attack.
DDoS, or “distributed denial of service” attack, is when a hacker attempts to flood a victim’s IT network with a high amount of requests from a large number of computers. This leads to a shutdown of the victim’s network. In the process of a DDoS, many machines are needed for the attack, but these machines can also be other victims with hacked computers unaware of what is happening, since some hackers harvest the computer powers of other innocent people to perform such attacks.
That being said, if a victim of a cybercrime such as a DDoS decides to hit back, that person would also take offense at other innocent people.
Hacking back also raises the possibility of a larger cyberwar, which could result in retaliation, further chaos, collateral damage, or worse: geopolitical implications. A lot can go wrong.
Meanwhile, at the end of the day, this hack back won’t deter all the hackers and the chance to steal the data back is slim, so there is little to be gained.
This looks to be victim-blaming, much like blaming a mugging or rape victim for extra wounds received as a result of retaliation. Should the victims remain silent while being attacked?
Doubled-down self-defense
Considering the risks, it is not feasible for companies to go on the offensive. The self-defense should be grounded around both preventive and corrective measures, doubling down on their cyber defense.
Preventive measures include measures to reduce risks. Companies can actively look for and fix any vulnerabilities regularly. It is important to remember that what safeguarded your companies a year ago may no longer be effective now.
Corrective measures handle the aftermath of an attack with tools such as incident response, forensic analysis, and data restoration from backups. With appropriate corrective measures, in the future, companies can further improve their cyber defense.
Image by DCStudio on Freepik