To hack back or not to hack back?
by Kai Roer - Senior Partner, The Roer Group - Wednesday, 12 June 2013.
Many centuries ago, explorers came to the vast land of North America. Shipload upon shipload of dreamers, explorers, businessmen and farmers entered the harbors and spread out throughout the country. They all dreamed of a better life - however they defined it.

As population in the West gradually grew, the need for stability and peace did too. In the very beginning, a gun and the principle of “an eye for an eye” allowed the survival of the best gun-hand, often at the detriment of many a young farmer with lesser gun-slinging skills. This self-regulation has been referred to as the Code of the West.

But after a time it became evident that shoot-outs in the streets were counterproductive to stability, peace and predictability. The principle of self-protection had to give way to another principle.

Thus the law came to the West, and replaced the Code. Individuals gave up (or were forced to give up) their right to pursue justice individually, and handed the task of prosecuting, judging and possibly executing criminals over to the government.

A new resource

If you think of cyberspace as a new resource for you and your organization, it makes sense to protect your part of it as best you can. You build fences to keep your cattle in, and the horse thieves out. You train your cowboys to ride and shoot well, and to recognize newcomers for what they are. And you accept the fact that your government is the one that will pursue and prosecute the thief that stole one or more of your horses.

The challenge arises when you (possibly rightfully so) perceive that your government is not able to deal with the horse thief. In the Wild West, you would have your cowboys string him up and hang him.

In cyberspace, you demand to be allowed to “hack back”. You want your government to delegate the legal persecution, judging and execution to you, because (you claim) you know the situation better.

You may find yourself saying something along the lines of: “Our cyberjockeys are highly skilled, quick to shoot and fully capable of taking down any trespassing hacker. I must have the right to defend myself, and attack is the best defense. Because, my dear government, if I do nothing, it will only be a matter of time before they enter my premises and run me over.”

From your narrow and personal perspective, this kind of reasoning may make sense at first glance. This is the same kind of reasoning that feeds blood feuds through the principle of “an eye for an eye” — “if you kill someone in my family, I will kill someone in yours. Innocent or not, I will shoot.” And so it goes until both families are no more.

Without an overarching governing body, instability, violence and uncertainty become the rule of thumb. It’s obvious that larger groups of humans who need to interact, interconnect and work together need a governing body to sort out disputes and acts of criminality.

A legal system is here to help each one of us, but we have to accept that it may not be perfect, and that it may take some time to adjust it to the cyber domain.

Gut response or intellectual reflection?

A gut response to direct threat is retaliation (or you may choose to run and hide). Consider that we are all part of a global community these days. It is not only you and that horse thief anymore. It is you, your employees, your country, your country´s trade partners, and so forth. In cyberspace, you cannot act like a rogue player who does whatever comes to his or her mind. Your playground is no longer your own backyard where you can argue “self defense” and get away with it.

The implications of hacking back are much larger than you and your organization. What you think of as a simple retaliation operation may quickly evolve into a geopolitical situation with multilateral impact.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th