Letting Businesses ‘Hack Back’ Against Hackers Is a Terrible Idea, Cyber Veterans Say

Sens. Steve Daines (R., Mont.) and Sheldon Whitehouse (D., R.I.) introduced a bill on June 30 that would require the U.S. Department of Homeland Security to study the risks and benefits of allowing companies to take action against hackers in the event of an attack.

The bill came after two major ransomware attacks in May targeting critical-infrastructure operators: Colonial Pipeline Co., which forced a six-day closure of the largest fuel artery on the East Coast, and meatpacker

JBS SA,

which took some U.S. beef-and-pork processing offline.

“The Colonial Pipeline ransomware attack shows why we should explore a regulated process for companies to respond when they’re targets,” Mr. Whitehouse said in a statement. Aides for Sens. Whitehouse and Daines declined to make them available for interviews.

Former Defense Department officials said that allowing companies to “hack back,” as it is known in cybersecurity circles, is a flawed and even dangerous proposition.

“So many things could go wrong, and very little can actually go right,” said

Anup Ghosh,

a former program manager at the Defense Advanced Research Projects Agency, or Darpa, part of the Defense Department.

Mr. Ghosh, now the chief executive of cybersecurity firm Fidelis Cybersecurity Inc., said that for a company, even deciding whom to counterattack is fraught with risks, given the difficulties of attributing attacks to individuals, gangs or nation-states. Introducing the private sector into the cyberwarfare arena also has national-security implications, he said, such as disrupting intelligence operations that companies might not know about.

Former U.K. cybersecurity official

Ciaran Martin

framed his opposition to hack-back proposals more bluntly at an event Tuesday at the Royal United Services Institute, a British defense and security think tank.

“Hacking back is a crazy idea,” said Mr. Martin, who until August 2020 ran the U.K.’s National Cyber Security Centre, part of the country’s digital spy agency, the Government Communications Headquarters.

Under U.S. law, only the federal government is permitted to take offensive cybersecurity actions through law-enforcement agencies and the military. In January, the Justice Department worked with international partners to disrupt networks of computers used to launch a prolific series of attacks with malware known as Emotet.

Studying whether companies could replicate such operations isn’t itself a bad idea, said Maurice Turner, a cybersecurity fellow at the Alliance for Security Democracy, part of the German Marshall Fund of the U.S., a think tank. But he warned that firms could step into geopolitical conflicts.

Incomplete or inaccurate information could also lead to collateral damage at other companies, said Jacob Williams, a former Defense Department cyber analyst who is now the chief technology officer of incident-response firm BreachQuest Inc. Hackers often mask their presence by launching attacks through legitimate servers, which might be vital to other companies’ operations, he said.

“While law enforcement can easily see that a server is shared through executing a subpoena, offensive security teams have no such tool available,” he said. “Even assuming a private hosting server, should private organizations be allowed to compromise the victim again in the name of security?”

Such nuances highlight how the government and private sector must maintain clear dividing lines in cybersecurity, particularly when it comes to cyberwarfare, said

Hitesh Sheth,

the chief executive of cybersecurity firm Vectra AI Inc.

“No recent development inspires me to rethink that balance,” he said.

—Catherine Stupp contributed to this article.

Write to James Rundle at [email protected]