Whether a Social Security number from an individual, or financial information from a company, hackers continue to find ways to steal data from millions of Americans. To combat these crimes, the idea of active cyber defense has arisen on Capitol Hill with the introduction of the Active Cyber Defense Certainty (ACDC) Act.
In January, Homeland Security Secretary Kirstjen Nielsen voiced measured support for empowering companies to be more active in their approach to cybersecurity. These active measures would allow companies to access other computer networks in order to thwart cyber attacks, monitor the hackers, collect evidence or destroy stolen files.
Though understandable in moral terms—we all have a right to self-defense—active defense, or hacking back, may create challenges that outweigh its benefits.
The main problem is attribution. Identifying an attacker, or even determining their location, is difficult. The victim may well strike back at an innocent party, who in turn could strike back at yet another innocent bystander, and the situation can easily spin out of control. At a minimum, a hack-back law must prohibit destructive activity. Surveillance might be acceptable, although even that could be problematic. Moreover, retaliating against a cyber hacker is still illegal under international law, so hacking back across national borders could create an international incident.
Another problem with active defense is the potential damage to data or systems belonging to an innocent bystander. Deletion of stolen data could result in damage to a third party, who would be unaware their systems are hosting stolen data. This situation, too, could damage foreign organizations or nation-states, putting important international relations at risk.
While the impulse to enable a self-defense strategy is understandable, the potential problems—particularly those that arise from incorrect attribution—diminish its value. Instead, private and public sector organizations should collaborate and focus on enhancing defensive technologies.
A key aspect of cyber hygiene is simply to know what you have. To start, create a framework for information security governance. Identify basic actions for good cybersecurity health, give strategic direction and ensure that cybersecurity objectives are met. Follow best practices for risk management—know the value and sensitivity of your data, apply the most cost-effective security protections and review your security posture regularly to stay ahead of a changing threat landscape.
Track security problems, and actually carry out the recommendations in plans of action and milestones.
Once your basic hygiene is under control, look at more sophisticated technologies, such as threat intelligence sharing to anticipate as many threats as possible and threat hunting to eliminate adversaries that have infiltrated your systems. The first is predictive, the second reparative, and both approaches are necessary.
Instead of hacking back, private companies should focus on basic cyber hygiene and enact a coherent long-term strategy based on public-sector initiatives, like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), and stay ahead of the enemy with techniques like threat hunting and intelligence sharing. Despite the incessant bad news about intrusions, genius hackers and data breaches, it is possible to win the cybersecurity war. As the saying goes, though: defense wins ball games.
Don Maclean is the chief cybersecurity technologist, DLT Solutions.