Despite what appears to be growing support among the cybersecurity community and some government officials, there are others pushing back against the idea that private firms should be allowed to “hack back,” or retaliate in cyberspace.
Senior Adviser to the National Security Agency Rob Joyce criticized the idea that private businesses should conduct offensive operations in cyberspace during an Oct. 23 event hosted by Palo Alto networks.
“I am a firm believer that ‘hack back,’ or ‘cyber hack’, is escalatory and not de-escalatory, which is one of the reasons we believe that is an inherently governmental operation,” Joyce said.
“Hack back” can have a number of meanings to observers — from active defense to destroying a hacker’s infrastructure as a retaliation for a cyberattack. But the various definitions of the idea have been proposed to deter hackers from attacking businesses.
Experts have been skeptical the idea could work.
“This could get out of hand very quickly,” Pete Cooper, a nonresident senior fellow at the Atlantic Council, told Fifth Domain. He said that mounting offensive cyber operations is more complex than firms realize, and if they go wrong they will quickly lead to unintended diplomatic and intelligence consequences, Cooper said.
“I understand that people are getting frustrated; getting cybersecurity right is hard. But turning around and saying the solution is commercial organizations going on offense is not helpful. There are well-established and effective ways for organizations to work with international law enforcement agencies and disrupt adversaries in a more ‘joined up’ and strategic manner.”
The comments on whether businesses should take active defense against hackers come as the United States has pledged to become more aggressive in cyberspace.
The U.S. national cybersecurity strategy, released in September, says that it will “attribute and deter unacceptable behavior in cyberspace.”
Industry officials have told Fifth Domain that the new cyber strategy has included increased coordination with the private sector, which could lead to U.S. Cyber Command taking more offensive actions on behalf of businesses.