Revenge Hacking: Ethical Or Too Far?

The recent high profile hacks that have shaken the finance, consumer, and tech worlds are truly shocking. The fact that companies who hold the data of significant portion of the population can be hacked should be a wake-up call for anyone who thinks high risk security breaches can’t happen to them.

Striking Back

While the outrage directed at firms like Deloitte, Equifax and Yahoo have been swift from both the press and from consumers alike—Equifax’s CEO recently stepped down amidst the intense criticism—there’s been another kind of backlash that’s been less publicized. A new report from the Daily Beast has explained the practice of “revenge hacking”, where private companies direct revenge at the hackers, in ways that are often clandestine and not entirely legal:
“This is the underground practice of hacking back, where private companies and individuals retaliate against hackers to protect their own networks or data, often breaking laws in the process. But despite being something of an open secret in the information security world, examples of what exactly happens behind the scenes of these hacking campaigns rarely make their way into the public, stifling the debate on whether this practice should be the norm.”

Investigating Cybercrime

According to the Daily Beast’s reporting, hacking back can utilize a variety of different tactics. These can include booby-trapping files, looking for weaknesses in a cybercriminal’s online infrastructure, or gathering information to figure out who the hacker is. It can also include the more extreme and sophisticated step of “remotely breaking into a target’s servers and wiping any data disabling the hacker’s malware, or even launching distributed-denial-of-service (DDoS) attacks to slow the criminal’s operations to a crawl or as a show of force.”

Eye for an Eye?

So why isn’t it legal to hack someone who has gone after you? And wouldn’t it benefit society at large —and act as a deterrent to future hacks—if more companies had the resources to enact this practice as a form of retaliation when they’ve been breached? Namely, hacking back is in violation of the US’s stringent Computer Fraud and Abuse Act, and other forms of legislation that prohibits wiretapping. In addition, if a company is hacking back at a target overseas, there is the added risk of violating international laws as well, making the risks too high for some to bear.
However, some people are finally speaking up for the need to provide a legal forms of recourse for high profile companies that have been hacked. A US congressman has proposed legislation that, if passed, would be the first to legalize any form of computer intrusion since 1986. According to The Daily Beast: “As drafted by Rep. Tom Graves (R-GA), the Active Cyber Defense Certainty Act (AC/DC) would exempt from prosecution ‘those taking active cyber defense measures’ by hacking into intruders’ machines. It would also allow victims to penetrate the computers of other hacking victims for ‘reconnaissance’ purposes while tracing an attack to its source. The proposal revises a broader draft Graves released in March, which drew derision from security experts. ‘These changes reflect careful analysis and many thoughtful suggestions from a broad spectrum of industries and viewpoints,’ said Graves in a statement.”
It was reported that the WannaCry ransomware attack—which affected 400,000 Windows operating systems in 150 countries—was the impetus for the legislation. The frequency of these attacks is making it clear that hoping for the best and encouraging strong digital habits among your employees is simply not enough when large amounts of sensitive information is at stake. While it will still take some time to gather the support for a bill like this to be passed, the need for it is abundantly clear.