Governments and corporations have realized that a passive, defensive approach to cybersecurity has limited success. Instead, there is growing recognition of the need for persistent engagement that infiltrates and degrades an attacker’s systems and infrastructure. Also known as hacking back, offensive cybersecurity operations refer to the proactive attack on hackers to cripple or disrupt their operations and deter future attacks. Offensive cybersecurity has the advantage of stopping or preempting cyberattacks before they impair target systems or penetrate cyber-defenses. The operations can also introduce uncertainty in an attacker in addition to influencing their behavior.
Despite its merits, offensive cybersecurity is not without significant risks. Before developing and executing an offensive cybersecurity strategy, it is essential you recognize the different ways things can go wrong.
1. Cycle of escalation
While offensive operations may appear promising in deterring cyber-adversaries, there is the real risk of escalating cyber-conflict over the long term. As retaliatory and preemptive cyber-operations become the norm, an ever-higher number of actors will adopt this line of attack. As more actors do this, so does the risk of unintentional damage, chaos, and escalation.
A preemptive cyberstrike may of itself be deemed an unprovoked cyberattack, thus triggering a cycle of retaliatory and escalatory tit-for-tat strikes.
2. Monitoring and copying by malicious actors
Hacking back does not take place in a vacuum. While offensive operations may be directed at a specific actor, that does not mean the onslaught remains hidden from the eyes of third parties. There may be other parties looking for ways to break through the same target. It is possible that during offensive cyber-operations, these parties observe the hacking attempts. That way, they may obtain intelligence, tips, and tools to gain entrance to the target network.
The risk of offensive cybersecurity tools being stolen or reused by malicious actors is not new or without precedent. The debilitating NotPetya and WannaCry ransomware attacks of 2017 were based on malware stolen from the National Security Agency.
3. Uncertainty in attribution
When a physical attack occurs, there are multiple ways of identifying the aggressor. From eyewitness accounts to CCTV records, there will be strong evidence that makes it easier to know exactly who the aggressor was. In the cyberworld, though, attribution is more complicated.
There are technical means of identifying where an attack originates. While these have improved over the years, it is not an exact science whose outcome guarantees 100 percent accuracy. False-flag operations could direct an offensive cyber-response at the wrong actor. Think about a DDoS attack that hijacks a third-party organization’s devices. In this case, the ownership of the devices is not synonymous with the attacker.
Attacking the wrong actor could see them launch their own retaliatory action. This only exacerbates the situation. It unnecessarily makes your systems and data the target of a new adversary.
4. Legal hurdles
In the United States and much of the world, offensive cyber-operations are deemed equivalent to criminal hacking and considered illegal. Offensive cyberattacks would, for instance, be in violation of the Computer Fraud and Abuse Act (CFAA).
In 2019, a bill was introduced in the U.S. Congress that sought to make it legal for organizations to launch offensive cyber-operations against their network’s intruders. Known as the Active Cyber Defense Certainty Act or ACDC, it limits the prosecution of computer abuse and fraud offenses where the party’s conduct is a defense against or response to a cyber-intrusion. It is still in the House but, if passed, will give offensive cybersecurity operations in the U.S. the legal protection they currently lack.
5. No oversight
While the ACDC Act will be important in giving organizations the legal framework for offensive cyberattacks, who will determine that the operations are indeed an act of self-defense? With attribution already a challenge, some organizations may use the guise of cyber-offensive operations to launch an attack against a rival or an entity they have business disagreements with. A cyber-offensive could create cyber-vigilantes who are a law unto themselves and use the ACDC Act as a cloak for their unmerited attacks.
Worse, there is no framework to determine that the party launching a cyber-offensive has the requisite technical competence. How does one ensure they are attacking the right target and can do so without endangering innocent parties such as other entities sharing the same cloud server? There are no guarantees that the reacting organization understands the other party’s information technology infrastructure.
6. International jurisdiction
Bills like the ACDC Act may make it legal for companies to hack back. This, however, may create problems where the cybersecurity offensive is international. The proposed ACDC Act itself only applies to cyberattacks that originate from within the United States. If the attack is from beyond the country’s borders, then the victim has no legal basis for hacking back.
But even if the proposed law were to permit offensive beyond borders, there would be the issue of the legality of the actions within the target’s own country. It is possible that an organization could find itself in legal problems because its actions are considered illegal in another country. An attacker could make it difficult for you to take action by acting from within countries where your response would be deemed illegal.
7. Collateral damage
You may correctly attribute a cyberattack to a particular actor. Sometimes, that party is a criminal entity. At other times though, it could be sponsored by a legitimate government or company. Now think about an attack that originates from such actors. Waging an all-out cyber-offensive could result in widespread collateral damage. For instance, the citizens of a country or the customers of the company would be innocent parties in a cyber-conflict. An offensive should seek to avoid causing any harm to them. Attacking a company that forms part of a country’s critical infrastructure (for example, an electric utility or water supply) should be out of bounds or carefully calibrated.
The consequences of a no-holds-barred offensive may lead to death, injury, disclosure of confidential information, and other results that harm people that neither know nor support the initial attack.
Offensive cybersecurity needs caution
Traditionally, defensive cybersecurity was the only approach organizations and governments had. But as sophisticated cyberthreats have become the norm, the concept of offensive cyber-operations has gained traction. Organized cybercriminals and state-sponsored hacking call for a different kind of response.
Despite its benefits, offensive cybersecurity operations may be illegal or unpredictable. Actions and reactions may quickly spiral out of control, thus rendering a bad situation far worse.
Featured image: Pixabay